10.2 protect pages.

最新推荐文章于 2024-07-06 11:03:12 发布
最新推荐文章于 2024-07-06 11:03:12 发布
阅读量103 收藏
点赞数
分类专栏: ruby and rails 文章标签: 测试
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/midfinger/article/details/84048084
版权

 

again, we will start from TDD!!!

 

 

1. since both edit and update need the same authentication, we can put their test together:

  describe "authentication of edit/update pages" do
    before(:each) do
      @user = Factory(:user)
    end
    describe "for not signed-in users" do
      it "should redirect to sign in page" do
        get :edit, :id => @user
        response.should redirect_to signin_path
      end
      it "should deny access to update" do
        put :update, :id => @user, :user => {}
        response.should redirect_to signin_path
      end
    end
  end
 
2. we will add before_filter to user controller to make this test pass: 
class UsersController < ApplicationController
  before_filter :authenticate, :only => [:edit, :update]
  .
  private

    def authenticate
      deny_access unless signed_in?
    end
end
 
we still need to define the deny_access method, since it is kind of authentication, I'll put it into session helper: 

def deny_access
  redirect_to signin_path, :notice => "please sign in first."
end
 note, this line of code is equivalent with two 
flash[:notice] = ""
redirect_to signin_path
 you can also use: 
redirect_to signin_path, :alert => "fdsfdsfsdf"
 but you can't use :success or :error in this contruction.

3. except need of user to sign in, we still need to make sure current user can't edit other user info.

start from TDD again!!! 
describe UsersController do
  render_views
  .
  .
  .
  describe "authentication of edit/update pages" do
    .
    .
    .
    describe "for signed-in users" do

      before(:each) do
        wrong_user = Factory(:user, :email => "user@example.net")
        test_sign_in(wrong_user)
      end

      it "should require matching users for 'edit'" do
        get :edit, :id => @user
        response.should redirect_to(root_path)
      end

      it "should require matching users for 'update'" do
        put :update, :id => @user, :user => {}
        response.should redirect_to(root_path)
      end
    end
  end
end
 
4. now to make the test pass, we need to add a new before filter to user controller. 
class UsersController < ApplicationController
  before_filter :authenticate, :only => [:edit, :update]
  before_filter :correct_user, :only => [:edit, :update]
  .
  .
  .
  def edit
    @title = "Edit user"
  end
  .
  .
  .
  private

    def authenticate
      deny_access unless signed_in?
    end

    def correct_user
      @user = User.find(params[:id])
      redirect_to(root_path) unless current_user?(@user)
    end
end
  
module SessionsHelper
  .
  .
  .
  def current_user?(user)
    user == current_user
  end

  def deny_access
    redirect_to signin_path, :notice => "Please sign in to access this page."
  end

  private
    .
    .
    .
end
 
now we have make our site very safe.

5. now we are doing some useful thing:

if a unsigned in user try to visit a protected page, he is redirected to the sign in page, then after he sign in, he is always redirected to the profile page, what we want is to redirect the user to the page he was trying to visit.

this is a very good work flow to be tested by the integration test!

so let's write a integration test for this flow first. 
require 'spec_helper'

describe "FriendlyForwardings" do

  it "should forward to the requested page after signin" do
    user = Factory(:user)
    visit edit_user_path(user)
    # The test automatically follows the redirect to the signin page.
    fill_in :email,    :with => user.email
    fill_in :password, :with => user.password
    click_button
    # The test follows the redirect again, this time to users/edit.
    response.should render_template('users/edit')
  end
end
 
you may wondering, why I use 
should render_template()
instead of 
should redirect_to()

because, in integration test, it will follow the redirect, so response.should redirect_to will not work.

6. next, we will do the implementation to make the test pass.
how do we do this?
a. since http is stateless, we have to use session to store the requested url in last request, then get it from session in the new request.(the things in session will expire when browser close.)
b. we will use the request object to get the url. 

module SessionsHelper
  .
  .
  .
  def deny_access
    store_location
    redirect_to signin_path, :notice => "Please sign in to access this page."
  end

  def redirect_back_or(default)
    redirect_to(session[:return_to] || default)
    clear_return_to
  end

  private
    .
    .
    .
    def store_location
      session[:return_to] = request.fullpath
    end

    def clear_return_to
      session[:return_to] = nil
    end
end
 



midfinger
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
01.CCNA 200-301 题库_1-50
JonasWolfxin
08-29 3468
CCNA 考试题库
02.CCNA 200-301 题库_51-100
JonasWolfxin
08-29 2261
CCNA 考试题库
ART异常处理机制(2) - StackOverflowError 实现
大将军王虎剩的专栏
11-22 4110
在本篇介绍 StackOverflowError 在 ART种的实现。 在 ART异常处理1 中,我们已经知道了 ART会注册信号处理函数,优先尝试处理 SIGSEGV信号。ART中总共又 4 种 handler 享有优先处理 SIGSEGV信号的权利。今天我们主要分析下 StackOverflowHandler以及 StackOverflowError的检测以及抛出。 先看下StackOve
newer RPMS
漂流~~~~
01-10 2325
Index of /rpm Name Last modified Size Description Parent Directory
IBM Software Requirements and PTFs for AIX 5.3 support of Oracle Database 10g Release 2 (10.2.0.1 or higher)
爱肯的专栏
10-11 7543
IBM Software Requirements and PTFs for AIX 5.3 support of Oracle Database 10g Release 2 (10.2.0.1 or higher)
LXC之.conf配置文件详解
暧暧远人村,依依墟里烟 ...
06-19 5078
作者: UBUNTU manpages 来源: http://manpages.ubuntu.com/manpages/disco/en/man5/lxc.container.conf.5.html DESCRIPTION LXC is the well-known and heavily tested low-level Linux container runtime. It is in...
HBase 官方文档0.97.0
热门推荐
厚积而薄发
05-29 1万+
HBase     官方文档中文版0.97.0 Copyright © 2012 Apache Software Foundation。保留所有权利。 Apache Hadoop, Hadoop, MapReduce, HDFS, Zookeeper, HBase 及 HBase项目 logo 是Apache Software Foundation的商标。
WAITEVENT: “latch: row cache objects“ Reference Note (文档 ID 1550722.1)
最新发布
Dav_2099的博客
07-06 546
eg:;eg:;eg:SELECT;ORDER BY 1;
15.2. InnoDB存储引擎
最实用的Linux博客
09-22 3116
原贴:http://doc.mysql.cn/mysql5/refman-5.1-zh.html-chapter/storage-engines.html#innodb-overview15.2. InnoDB存储引擎15.2.1. InnoDB概述15.2.2. InnoDB联系信息15.2.3. InnoDB配置15.2.4. InnoDB启动选项15.2.5. 创
ojdbc14-10.2.0.2.0.jar.zip
07-22
标题中的"ojdbc14-10.2.0.2.0.jar.zip"是一个包含Oracle JDBC驱动程序的压缩文件,主要用于在Java应用程序中连接到Oracle数据库。Oracle JDBC驱动程序,也称为Oracle Thin Driver,是Java开发人员用来与Oracle数据库...
ojdbc14-10.2.0.1.0.jar
11-03
ojdbc14-10.2.0.1.0.jar是Oracle数据库连接驱动的一个版本,主要用于Java应用程序与Oracle数据库之间的交互。Oracle JDBC驱动程序,全称为Java Database Connectivity,是Oracle公司提供的Java API,它允许Java应用...
BlueSoleil_千月蓝牙10.2.497.0开心版
12-03
BlueSoleil_千月蓝牙10.2.497.0开心版,安装后就可以开心的使用了。压缩包内有安装说明,建议安装后进设置关闭界面上的广告,这样看起来就更加舒心了。推荐给你使用。
Oracle 10g 最后的PSU-10.2.0.5.19-补丁 p20299014_10205_Linux-x86-64.zip
01-13
Oracle 10g数据库系统是Oracle公司发布的一款企业级数据库管理系统,版本10.2.0.5是其中的一个重要更新。"PSU"代表"Patch Set Update",是Oracle提供的一种更新机制,用于合并一系列安全修复、性能优化和功能增强。...
ojdbc14-10.2.0.3.0.jar
06-13
标题中的"ojdbc14-10.2.0.3.0.jar"是指Oracle JDBC驱动的一个特定版本,这是Oracle数据库与Java应用程序进行交互的重要组件。Oracle JDBC驱动程序允许Java开发者编写程序,以便连接到Oracle数据库,执行SQL查询,...
6.3 make model, view, controller work together.
peryt
10-09 4612
1. let's start to console without --sandbox param to create some record into our database:     rails console User.create!(:name =&gt; "china zhang", :email =&gt; "china@china.com")  to see if t...
12.2 a web interface for following and followers.
peryt
10-28 339
1.before we do the UI, we need to populate database. we will write a rake task to do this:     namespace :db do desc "populate database" task :populate =&gt; :environment do Rake:Task["...
8.1 sign up form
peryt
10-11 324
chapter 8.1   1. let's first make a branch for the sign up chapter: git checkout -b signing-up   2. also reset the database: rake db:reset   3. we already got two basic test for new action in ...
6.2 user validations
peryt
09-13 258
1. ok, let's add validations to our models: a. name should not be blank. b. email should follow email format. c. email should be unique.   2. there are some common validations: validates pressen...
adsklicensing-installer.exe10.2.0.4231.zip
09-07
adsklicensing-installer.exe10.2.0.4231.zip 是一个文件压缩包,里面包含了 adsklicensing-installer.exe10.2.0.4231 这个可执行文件。这个文件用于在计算机上安装和管理 Autodesk 产品的许可证信息。当用户希望...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值