Rails%203%20In%20Action

More documents

Recommendations

Info

Locking down states /[id]/comments (where[id] is the id of the ticket this form will create a comment for), and this route will take you to the create action inside CommentsController. Let’s open this saved page in a browser now, fill in the text for the comment with anything, and select a value for the state. When you submit this form, it will create a comment and set the state. You should see your comment showing the state transition, as shown in figure 10.17. Obviously, hiding the state field isn’t a foolproof way to protect it. A better way to protect this attribute would be to delete it from the parameters before it gets to the method that creates a new comment. 10.5.4 Ignoring a parameter If you remove the state_id key from the comment parameters before they’re passed to the build method in the create action for CommentsController, then this problem won’t happen. You should write a regression test. Regression tests are tests that save you from causing regressions. You now open spec/controllers/comments_controller_spec.rb and set up a project, ticket, state, and user for the spec you’re about to write by putting the code from the following listing inside the describe CommentsController block. Listing 10.30 spec/controllers/comments_controller_spec.rb let(:user) { create_user! } let(:project) { Project.create!(:name => "Ticketee") } let(:ticket) do project.tickets.create(:title => "State transitions", :description => "Can't be hacked.", :user => user) end let(:state) { State.create!(:name => "New") } The state you create is the one you’ll attempt to transition to in your spec, with the ticket’s default state being not set, and therefore nil. The user you set up is the user you use to sign in and change the state with. This user has no permissions at the moment and so they won’t be able to change the states. Your spec needs to make sure that a change doesn’t take place when a user who doesn’t have permission to change the status of a ticket for that ticket’s project submits a state_id parameter. You put this code, shown in the next listing, directly underneath the setup you just wrote. Listing 10.31 spec/controllers/comments_controller_spec.rb context "a user without permission to set state" do before do sign_in(:user, user) end 283 Figure 10.17 Hacked state transition
284 CHAPTER 10 Tracking state it "cannot transition a state by passing through state_id" do post :create, { :comment => { :text => "Hacked!", :state_id => state.id }, :ticket_id => ticket.id } ticket.reload B Reload Ticket object ticket.state.should eql(nil) end end This spec uses a before to sign in as the user before the example runs. Inside the example, you use the post method to make a POST request to the create action inside CommentsController, passing in the specified parameters. It’s this state_id parameter that should be ignored in the action. After the post method, you use a new method :reload B. When you call reload on an Active Record object, it will fetch the object again from the database and update the attributes for it. You use this because the create action acts on a different Ticket object and doesn’t touch the one you’ve set up for your spec. The final line here asserts that the ticket.state should be nil. When you run this spec by running bundle exec rspec spec/controllers/comments_controller _spec.rb, this final line will be the one to fail: Failure/Error: ticket.state.should eql(nil) expected nil got # The ticket.state is returning a state object because the user has been able to post it through the parameter hash. With a failing spec now in place, you can go about stopping this state parameter from going unchecked. To ignore this parameter, you can remove it from the params hash if the user doesn’t have permission to change states. At the top of the create action, inside of CommentsController, put the following lines: if cannot?(:"change states", @ticket.project) params[:comment].delete(:state_id) end This code will remove the state_id key from the params[:comment] hash if the user doesn’t have permission to change the states on the ticket’s project, thereby preventing them from being able to change the state. If you rerun your spec using bin/rspec spec /controllers/comments_controller_spec.rb, you’ll see that it passes: 1 example, 0 failures Great! Now nobody without permission will be able to download the ticket page, make modifications to it to add a state field, and then be able to change the states. You’re done with this feature now so it’s time to make sure you didn’t break anything with your changes by running rake cucumber:ok spec. You should see that everything is squeaky clean:
Page 1 and 2:
IN ACTION Ryan Bigg Yehuda Katz MAN
Page 4 and 5:
Rails 3 in Action RYAN BIGG YEHUDA
Page 6:
1 ■ Ruby on Rails, the framework
Page 9 and 10:
viii 3 4 5 6 CONTENTS Developing a
Page 11 and 12:
x 9 10 CONTENTS 8.5 Restricting wri
Page 13 and 14:
xii 13 14 CONTENTS 12.2 Subscribing
Page 15 and 16:
xiv 18 CONTENTS 17.4 Setting up a t
Page 17 and 18:
xvi PREFACE cover. It also takes a
Page 19 and 20:
xviii ACKNOWLEDGMENTS gnarly ePub R
Page 21 and 22:
xx about this book Ruby on Rails is
Page 23 and 24:
xxii ABOUT THIS BOOK By chapter 16,
Page 25 and 26:
about the cover illustration The fi
Page 27 and 28:
2 CHAPTER 1 Ruby on Rails, the fram
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
10 CHAPTER 1 Ruby on Rails, the fra
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
24 CHAPTER 2 Testing saves your bac
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
This chapter covers � Building th
Page 71 and 72:
46 CHAPTER 3 Developing a real Rail
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
84 CHAPTER 4 Oh CRUD! 4.1.1 Writing
Page 111 and 112:
86 CHAPTER 4 Oh CRUD! Aha! You’re
Page 113 and 114:
88 CHAPTER 4 Oh CRUD! 4.2 Editing p
Page 115 and 116:
90 CHAPTER 4 Oh CRUD! 4.2.2 The upd
Page 117 and 118:
92 CHAPTER 4 Oh CRUD! 4.3.1 Writing
Page 119 and 120:
94 CHAPTER 4 Oh CRUD! Figure 4.1 Ac
Page 121 and 122:
96 CHAPTER 4 Oh CRUD! F When the te
Page 123 and 124:
98 CHAPTER 4 Oh CRUD! functionality
Page 125 and 126:
100 CHAPTER 5 Nested resources New
Page 127 and 128:
102 CHAPTER 5 Nested resources an e
Page 129 and 130:
104 CHAPTER 5 Nested resources 5.1.
Page 131 and 132:
106 CHAPTER 5 Nested resources Then
Page 133 and 134:
108 CHAPTER 5 Nested resources Grea
Page 135 and 136:
110 CHAPTER 5 Nested resources see
Page 137 and 138:
112 CHAPTER 5 Nested resources The
Page 139 and 140:
114 CHAPTER 5 Nested resources Agai
Page 141 and 142:
116 CHAPTER 5 Nested resources show
Page 143 and 144:
118 CHAPTER 6 Authentication and ba
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
This chapter covers � Adding an a
Page 163 and 164:
138 CHAPTER 7 Basic access control
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
This chapter covers � Expanding w
Page 191 and 192:
166 CHAPTER 8 More authorization Un
Page 193 and 194:
168 CHAPTER 8 More authorization pe
Page 195 and 196:
170 CHAPTER 8 More authorization Th
Page 197 and 198:
172 CHAPTER 8 More authorization ..
Page 199 and 200:
Page 201 and 202:
176 CHAPTER 8 More authorization 8.
Page 203 and 204:
178 CHAPTER 8 More authorization Re
Page 205 and 206:
180 CHAPTER 8 More authorization Cr
Page 207 and 208:
Page 209 and 210:
184 CHAPTER 8 More authorization De
Page 211 and 212:
186 CHAPTER 8 More authorization De
Page 213 and 214:
188 CHAPTER 8 More authorization To
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
194 CHAPTER 8 More authorization Yo
Page 221 and 222:
196 CHAPTER 8 More authorization cu
Page 223 and 224:
198 CHAPTER 8 More authorization
Page 225 and 226:
Page 227 and 228:
202 CHAPTER 8 More authorization Li
Page 229 and 230:
204 CHAPTER 8 More authorization
Page 231 and 232:
206 CHAPTER 8 More authorization Si
Page 233 and 234:
208 CHAPTER 8 More authorization Li
Page 235 and 236:
Page 237 and 238:
212 CHAPTER 8 More authorization 45
Page 239 and 240:
214 CHAPTER 9 File uploading By pro
Page 241 and 242:
216 CHAPTER 9 File uploading that t
Page 243 and 244:
218 CHAPTER 9 File uploading remove
Page 245 and 246:
220 CHAPTER 9 File uploading This f
Page 247 and 248:
222 CHAPTER 9 File uploading asset
Page 249 and 250:
224 CHAPTER 9 File uploading 9.2.2
Page 251 and 252:
226 CHAPTER 9 File uploading you ha
Page 253 and 254:
228 CHAPTER 9 File uploading sign_i
Page 255 and 256:
230 CHAPTER 9 File uploading When y
Page 257 and 258: 232 CHAPTER 9 File uploading You co
Page 259 and 260: 234 CHAPTER 9 File uploading The /a
Page 261 and 262: 236 CHAPTER 9 File uploading When y
Page 263 and 264: 238 CHAPTER 9 File uploading Open a
Page 265 and 266: 240 CHAPTER 9 File uploading This i
Page 267 and 268: 242 CHAPTER 9 File uploading After
Page 269 and 270: 244 CHAPTER 10 Tracking state used,
Page 271 and 272: 246 CHAPTER 10 Tracking state group
Page 273 and 274: 248 CHAPTER 10 Tracking state Listi
Page 275 and 276: 250 CHAPTER 10 Tracking state end @
Page 277 and 278: 252 CHAPTER 10 Tracking state With
Page 279 and 280: 254 CHAPTER 10 Tracking state which
Page 281 and 282: 256 CHAPTER 10 Tracking state The f
Page 283 and 284: 258 CHAPTER 10 Tracking state class
Page 289 and 290: 264 CHAPTER 10 Tracking state Good,
Page 291 and 292: 266 CHAPTER 10 Tracking state You c
Page 293 and 294: 268 CHAPTER 10 Tracking state You h
Page 295 and 296: 270 CHAPTER 10 Tracking state You
Page 301 and 302: 276 CHAPTER 10 Tracking state def m
Page 303 and 304: 278 CHAPTER 10 Tracking state 10.5
Page 305 and 306: 280 CHAPTER 10 Tracking state 33 of
Page 307: 282 CHAPTER 10 Tracking state 10.5.
Page 311 and 312: This chapter covers � Tagging spe
Page 313 and 314: 288 CHAPTER 11 Tagging And I press
Page 315 and 316: 290 CHAPTER 11 Tagging To define th
Page 317 and 318: 292 CHAPTER 11 Tagging 11.2 Adding
Page 319 and 320: 294 CHAPTER 11 Tagging 11.2.2 Fixin
Page 321 and 322: 296 CHAPTER 11 Tagging Because the
Page 323 and 324: 298 CHAPTER 11 Tagging ment from th
Page 325 and 326: 300 CHAPTER 11 Tagging true, :url
Page 327 and 328: 302 CHAPTER 11 Tagging get there pr
Page 329 and 330: 304 CHAPTER 11 Tagging And I follow
Page 331 and 332: 306 CHAPTER 11 Tagging The :from op
Page 333 and 334: 308 CHAPTER 11 Tagging This is beca
Page 335 and 336: 310 CHAPTER 11 Tagging into this:
Page 337 and 338: This chapter covers � Sending ema
Page 339 and 340: 314 CHAPTER 12 Sending email To tes
Page 341 and 342: 316 CHAPTER 12 Sending email Let’
Page 343 and 344: 318 CHAPTER 12 Sending email Now th
Page 345 and 346: 320 CHAPTER 12 Sending email the em
Page 347 and 348: 322 CHAPTER 12 Sending email Great
Page 349 and 350: 324 CHAPTER 12 Sending email messag
Page 351 and 352: 326 CHAPTER 12 Sending email A B cr
Page 353 and 354: 328 CHAPTER 12 Sending email Next,
Page 355 and 356: 330 CHAPTER 12 Sending email As usu
Page 357 and 358: 332 CHAPTER 12 Sending email When y
Page 359 and 360:
334 CHAPTER 12 Sending email applic
Page 361 and 362:
336 CHAPTER 12 Sending email Listin
Page 363 and 364:
338 CHAPTER 12 Sending email To ins
Page 365 and 366:
340 CHAPTER 12 Sending email 12.4 R
Page 367 and 368:
342 CHAPTER 12 Sending email 12.4.2
Page 369 and 370:
344 CHAPTER 12 Sending email When y
Page 371 and 372:
346 CHAPTER 12 Sending email By sen
Page 373 and 374:
348 CHAPTER 13 Designing an API One
Page 375 and 376:
350 CHAPTER 13 Designing an API cri
Page 377 and 378:
352 CHAPTER 13 Designing an API RSp
Page 379 and 380:
354 CHAPTER 13 Designing an API ] }
Page 381 and 382:
356 CHAPTER 13 Designing an API In
Page 383 and 384:
358 CHAPTER 13 Designing an API Boo
Page 385 and 386:
360 CHAPTER 13 Designing an API 13.
Page 387 and 388:
362 CHAPTER 13 Designing an API Thi
Page 389 and 390:
364 CHAPTER 13 Designing an API err
Page 391 and 392:
366 CHAPTER 13 Designing an API To
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
372 CHAPTER 13 Designing an API @pr
Page 399 and 400:
374 CHAPTER 13 Designing an API The
Page 401 and 402:
376 CHAPTER 13 Designing an API Lis
Page 403 and 404:
378 CHAPTER 13 Designing an API You
Page 405 and 406:
Page 407 and 408:
382 CHAPTER 13 Designing an API you
Page 409 and 410:
384 CHAPTER 13 Designing an API git
Page 411 and 412:
386 CHAPTER 14 Deployment done. Thi
Page 413 and 414:
388 CHAPTER 14 Deployment useradd -
Page 415 and 416:
390 CHAPTER 14 Deployment rvm group
Page 417 and 418:
392 CHAPTER 14 Deployment To be as
Page 419 and 420:
394 CHAPTER 14 Deployment service s
Page 421 and 422:
396 CHAPTER 14 Deployment 14.5.1 De
Page 423 and 424:
398 CHAPTER 14 Deployment The final
Page 425 and 426:
400 CHAPTER 14 Deployment With the
Page 427 and 428:
402 CHAPTER 14 Deployment executing
Page 429 and 430:
404 CHAPTER 14 Deployment The first
Page 431 and 432:
406 CHAPTER 14 Deployment You can e
Page 433 and 434:
408 CHAPTER 14 Deployment Once Rail
Page 435 and 436:
410 CHAPTER 14 Deployment This mean
Page 437 and 438:
This chapter covers � Authenticat
Page 439 and 440:
414 CHAPTER 15 Alternative authenti
Page 441 and 442:
Page 443 and 444:
Page 445 and 446:
Page 447 and 448:
Page 449 and 450:
Page 451 and 452:
Page 453 and 454:
Page 455 and 456:
Page 457 and 458:
Page 459 and 460:
This chapter covers � Implementin
Page 461 and 462:
436 CHAPTER 16 Basic performance en
Page 463 and 464:
Page 465 and 466:
Page 467 and 468:
Page 469 and 470:
Page 471 and 472:
Page 473 and 474:
Page 475 and 476:
Page 477 and 478:
Page 479 and 480:
Page 481 and 482:
Page 483 and 484:
Page 485 and 486:
Page 487 and 488:
Page 489 and 490:
Page 491 and 492:
Page 493 and 494:
This chapter covers � The importa
Page 495 and 496:
470 CHAPTER 17 Engines copy over as
Page 497 and 498:
472 CHAPTER 17 Engines With that sa
Page 499 and 500:
474 CHAPTER 17 Engines Obviously, y
Page 501 and 502:
476 CHAPTER 17 Engines This file’
Page 503 and 504:
478 CHAPTER 17 Engines 2. Goes thro
Page 505 and 506:
480 CHAPTER 17 Engines This is real
Page 507 and 508:
482 CHAPTER 17 Engines s.add_develo
Page 509 and 510:
484 CHAPTER 17 Engines The click_li
Page 511 and 512:
486 CHAPTER 17 Engines This code ha
Page 513 and 514:
488 CHAPTER 17 Engines You’re mis
Page 515 and 516:
490 CHAPTER 17 Engines NOTE We’re
Page 517 and 518:
492 CHAPTER 17 Engines 17.5.8 Showi
Page 519 and 520:
494 CHAPTER 17 Engines Listing 17.9
Page 521 and 522:
496 CHAPTER 17 Engines Note that th
Page 523 and 524:
498 CHAPTER 17 Engines your applica
Page 525 and 526:
500 CHAPTER 17 Engines 17.7.2 A fak
Page 527 and 528:
502 CHAPTER 17 Engines forem_user;
Page 529 and 530:
504 CHAPTER 17 Engines You don’t
Page 531 and 532:
506 CHAPTER 17 Engines This is the
Page 533 and 534:
508 CHAPTER 17 Engines Because you
Page 535 and 536:
510 CHAPTER 17 Engines Listing 17.1
Page 537 and 538:
512 CHAPTER 17 Engines 17.8 Releasi
Page 539 and 540:
514 CHAPTER 17 Engines This task ac
Page 541 and 542:
This chapter covers � Building a
Page 543 and 544:
518 CHAPTER 18 Rack-based applicati
Page 545 and 546:
Page 547 and 548:
Page 549 and 550:
Page 551 and 552:
Page 553 and 554:
Page 555 and 556:
Page 557 and 558:
Page 559 and 560:
Page 561 and 562:
Page 563 and 564:
Page 565 and 566:
Page 567 and 568:
542 APPENDIX A Why Rails? it helps
Page 569 and 570:
544 APPENDIX A Why Rails? with thei
Page 571 and 572:
546 appendix B Tidbits This appendi
Page 573 and 574:
548 APPENDIX B Tidbits You should g
Page 576 and 577:
Special characters and numbers $ fu
Page 578 and 579:
authentication (continued) OAuth, 4
Page 580 and 581:
CSRF (cross-site request forgery) a
Page 582 and 583:
find_or_create_for_twitter method,
Page 584 and 585:
last_post method, 510 last_ticket m
Page 586 and 587:
Project.for method, 531 projects, 5
Page 588 and 589:
searching by state, 305-309 testing
Page 590 and 591:
toggle_watching_button method, 330
Page 592:
WEB DEVELOPMENT/RUBY R ails Rails 3
show all

Rails%203%20In%20Action

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?