El 08/07/2010, a las 18:36, nruth escribió: > I'm setting up a Paypal IPN listener and need the create action to not > use rails' default CSRF protection. > > I've got that working fine & test it actually works with cucumber > (where I've turned CSRF back on, since it's full-stack testing) but > would like my controller spec to mention the need for > protect_from_forgery :except => [:create] (and fail when it's not > set). > > I've not had any luck with telling the controller or > ActionController::Base to use forgery protection in the spec and am a > bit stuck. > > Has anyone done this before, or do any of these look possible: > > * reload the rails app for part of the spec, using a different rails > initializer (i.e. without > config.action_controller.allow_forgery_protection = false as in > environments/test.rb) > * tell the controller to use forgery protection despite it being > turned off in the rails test environment config (haven't had any luck > with this so far). > * have some specs split off from the main specs which run in a > different rails environment, e.g. test-with-csrf rather than test. > > versions: rails 2.3.8, rspec 1.3.0, rspec-rails 1.3.2 > > Any help or pointers to old topics would be greatly appreciated, > google made this look a bit unexplored beyond "rails fixes csrf by > default, turn off in tests".
I think Cucumber is the right level to test this at. But if you really, really want to test it at the RSpec level, take a look at what the protect_from_forgery method actually does: actionpack/lib/action_controller/metal/request_forgery_protection.rb It boils down to this: before_filter :verify_authenticity_token, options So you could introspect the controller and ask it what its before_filters are, and see if "verify_authenticity_token" is present or absent. But I fear it would require some ugly hacking via instance_variable_get, which is why I say that Cucumber is the right level to test this sort of thing on. Cheers, Wincent _______________________________________________ rspec-users mailing list rspec-users@rubyforge.org http://rubyforge.org/mailman/listinfo/rspec-users
