On 2010-07-08 12:15 PM, Wincent Colaiuta wrote:
El 08/07/2010, a las 18:36, nruth escribió:
I'm setting up a Paypal IPN listener and need the create action to not
use rails' default CSRF protection.
I've got that working fine& test it actually works with cucumber
(where I've turned CSRF back on, since it's full-stack testing) but
would like my controller spec to mention the need for
protect_from_forgery :except => [:create] (and fail when it's not
set).
I've not had any luck with telling the controller or
ActionController::Base to use forgery protection in the spec and am a
bit stuck.
Has anyone done this before, or do any of these look possible:
* reload the rails app for part of the spec, using a different rails
initializer (i.e. without
config.action_controller.allow_forgery_protection = false as in
environments/test.rb)
* tell the controller to use forgery protection despite it being
turned off in the rails test environment config (haven't had any luck
with this so far).
* have some specs split off from the main specs which run in a
different rails environment, e.g. test-with-csrf rather than test.
versions: rails 2.3.8, rspec 1.3.0, rspec-rails 1.3.2
Any help or pointers to old topics would be greatly appreciated,
google made this look a bit unexplored beyond "rails fixes csrf by
default, turn off in tests".
I think Cucumber is the right level to test this at. But if you really, really
want to test it at the RSpec level, take a look at what the
protect_from_forgery method actually does:
actionpack/lib/action_controller/metal/request_forgery_protection.rb
It boils down to this:
before_filter :verify_authenticity_token, options
So you could introspect the controller and ask it what its before_filters are, and see if
"verify_authenticity_token" is present or absent. But I fear it would require
some ugly hacking via instance_variable_get, which is why I say that Cucumber is the
right level to test this sort of thing on.
Actually, it's not that difficult. I have a macro (or whatever the
proper term is) to spec the existence of before_filters. It looks like:
def should_have_before_filters(*filters)
filters.each do |filter|
it "should have before_filter #{filter}" do
controller.class.before_filters.should include(filter)
end
end
end
alias_method :should_have_before_filter, :should_have_before_filters
This is RSpec 1.3.x for Rails 2.3.x. I have no idea if this will work in
RSpec 2.x and Rails 3.
Peace,
Phillip
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
