Best way to test before_action of parent controller with MiniTest - ruby-on-rails

I have a subscribers section in my application with several controllers which inherited from Subscribers::BaseController
Subscribers::BaseController has a before_action :require_subscription
class Subscribers::BaseController < ApplicationController
before_action :require_subscription, if: :require_subscription?
private
def require_subscription
RequireSubscriptionService.call(current_user)
end
def require_subscription?
# several conditions
end
end
And other controllers for example
class Subscribers::EventsController < Subscribers::BaseController
skip_before_action :require_subscription, only: :other_action
def index
end
def show
end
def other_action
end
end
What is the best way to test, that before_action :require_subscription will be called if it necessary in each action with MiniTest
Usually I use Rspec, and I can use expect matcher in this case
For example
describe 'Subscribers::EventsController' do
describe '.index' do
expect_any_instance_of(described_class).to receive(:require_subscription).and_return(:return_value)
subject
end
describe '.other_action' do
expect_any_instance_of(described_class).not_to receive(:require_subscription)
subject
end
end
But how to test this stuff with MiniTest?

Related

Rails 5, pundit authorization

Pundit works well, if action has resources like:
class Admin::PagesController << ApplicationController
def index
#pages = Page.all
end
end
How to authorise method without any resources in action?
class Admin::DashboardController << ApplicationController
def index
end
end
I hav file policies/admin/dashboard_policy.rb
class Admin::DashboardPolicy < ApplicationPolicy
class Scope < Scope
def resolve
scope.all
end
end
end
This file was generated by command:
rails g pundit:policy Admin/Dashboard
File views/admin/index.html.slim has only static text. Nothing more.
How to authorise action without any resources?
Regards
Sssebaaa
To authorize without a scope or model instance call authorize with a symbol or array of symbols (when namespaced):
class Admin::DashboardController << ApplicationController
def index
authorize [:admin, :dashboard]
end
end
This will call the #index? method on the policy class:
class Admin::DashboardPolicy < ApplicationPolicy
def index?
user.admin?
end
end
You can also remove the scope completely from your policy.
If you don't have any callbacks checking that the policy is scoped, as pundit doc suggests, like
class ApplictationController < ActionController::Base
include Pundit
after_action :verify_policy_scoped, only: :index
end
You don't have anything to do.
However if you do have a callback, you can just skip it in your controller action like this:
class Admin::DashboardController << ApplicationController
skip_after_action :verify_policy_scoped, only: [:index]
def index
end
end

Context is always nil using jsonapi-resources

Using version 0.6.0 of the jsonapi-resources gem in conjuction with Doorkeeper I am having a problem seeing the current user in the context object in my resource.
I am basically following the docs, however nothing I try will make the context I set in ApplicationController visible in the resource's fetchable_fields method. I did confirm that context is actually being set in my ApplicationController.
Here is what I have
ApplicationController
class ApplicationController < JSONAPI::ResourceController
protect_from_forgery with: :null_session
def context
{current_user: current_user}
end
end
Controller
class Api::ItemsController < ApplicationController
prepend_before_action :doorkeeper_authorize!
end
Resource
class Api::ItemResource < JSONAPI::Resource
# attributes
def fetchable_fields
# context is always nil here
if (context[:current_user].guest)
super - [:field_i_want_private]
else
super
end
end
end
Well, using the jsonapi-utils gem – that is created on top of jsonapi-resources – you would write something like this:
ApplicationController:
class ApplicationController < JSONAPI::ResourceController
include JSONAPI::Utils
protect_from_forgery with: :null_session
end
ItemsController:
class API::ItemsController < ApplicationController
prepend_before_action :doorkeeper_authorize!
before_action :load_user
def index
jsonapi_render json: #user.items
end
private
def load_user
#user = User.find(params[:id])
end
end
No need to define context :-)
I hope it helps you. Cheers!
Taking your example, here is my solution
Resource
class Api::ItemResource < JSONAPI::Resource
# attributes
def fetchable_fields
# context is always nil here
if (context[:current_user].guest)
super - [:field_i_want_private]
else
super
end
end
# upgrade
def self.create(context)
# You can use association here but not with association table
# only works when `id` is inside the table of the resource
ItemResource.new(Item.new, context)
end
before_save do
# Context is now available with `self.context`
self.context[:current_user]
end
end
You do not need a context method in the ApplicationController. The context is actually available in the Resource class through the framework. In your resource, you can access:
#context[:current_user]

Rails simple access control

I am aware that several gems are made to handle authorization in Rails. But is it really worth it to use these gems for simple access controls ?
I only have a few "roles" in my application, and I feel that a powerful gem would be useless and even slow down the response time.
I have already implemented a solution, but then I took some security classes (:p) and I realized my model was wrong ("Allow by default, then restrict" instead of "Deny by default, then allow").
Now how can I simply implement a "deny by default, allow on specific cases" ?
Basically I'd like to put at the very top of my ApplicationController
class ApplicationController < ApplicationController::Base
before_filter :deny_access
And at the very top of my other controllers :
class some_controller < ApplicationController
before_filter :allow_access_to_[entity/user]
These allow_access_to_ before_filters should do something like skip_before_filter
def allow_access_to_[...]
skip_before_filter(:deny_access) if condition
end
But this doesn't work, because these allow_access before filters are not evaluated before the deny_access before_filter
Any workaround, better solution for this custom implementation of access control ?
EDIT
Many non-RESTful actions
I need per-action access control
undefined method 'skip_before_filter' for #<MyController... why ?
My before_filters can get tricky
before_action :find_project, except: [:index, :new, :create]
before_action(except: [:show, :index, :new, :create]) do |c|
c.restrict_access_to_manager(#project.manager)
end
I would really advise using a proper battle tested gem for authentication & authorisation instead of rolling your own. These gems have enormous test suites and aren't really all that hard to setup.
I've recently implemented an action based authorization using roles with Pundit & Devise
Devise is changeable as long as the gem you are using provides a current_user method if you don't want to further configure pundit.
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
include Pundit
rescue_from Pundit::NotAuthorizedError, with: :rescue_unauthorized
# Lock actions untill authorization is performed
before_action :authorize_user
# Fallback when not authorized
def rescue_unauthorized(exception)
policy_name = exception.policy.class.to_s.underscore
flash[:notice] = t(
"#{policy_name}.#{exception.query}",
scope: "pundit",
default: :default
)
redirect_to(request.referrer || root_path)
end
end
# app/models/user.rb
class User < ActiveRecord::Base
has_many :roles, through: :memberships
def authorized?(action)
claim = String(action)
roles.pluck(:claim).any? { |role_claim| role_claim == claim }
end
end
# app/policies/user_policy.rb => maps to user_controller#actions
class UserPolicy < ApplicationPolicy
class Scope < Scope
attr_reader :user, :scope
# user is automagically set to current_user
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
scope.all
end
end
def index?
# If user has a role which has the claim :view_users
# Allow this user to use the user#index action
#user.authorized? :view_users
end
def new?
#user.authorized? :new_users
end
def edit?
#user.authorized? :edit_users
end
def create?
new?
end
def update?
edit?
end
def destroy?
#user.authorized? :destroy_users
end
end
Long story short:
If you configure pundit to force authorization on each request which is described in detail on the github page, the controller evaluates a policy based on the used controller.
UserController -> UserPolicy
Actions get defined with a question mark, even non restful routes.
def index?
# authorization is done inside the method.
# true = authorization succes
# false = authorization failure
end
This is my solution to action based authorization hope it helps you out.
Optimisations & feedback are welcome !
Rolling your own implementation isn't necessarily bad as long as you're committed to it.
It won't get tested and maintained by the community so you must be willing to maintain it yourself in the long run, and if it compromises security you need to be really sure of what you're doing and take extra care. If you have that covered and the existing alternatives don't really fit your needs, making your own isn't such a bad idea. And generally it's an incredibly good learning experience.
I rolled my own with ActionAccess and I couldn't be happier with the results.
Locked by default aproach:
class ApplicationController < ActionController::Base
lock_access
# ...
end
Per-action access control:
class ArticlesController < ApplicationController
let :admins, :all
let :editors, [:index, :show, :edit, :update]
let :all, [:index, :show]
def index
# ...
end
# ...
end
Really lighweight implementation.
I encourage you not to use it but to check out the source code, it has a fare share of comments and should be a good source of inspiration. ControllerAdditions might be a good place to start.
ActionAccess follows a different approach internally, but you can refactor your answer to mimic it's API with something like this:
module AccessControl
extend ActiveSupport::Concern
included do
before_filter :lock_access
end
module ClassMethods
def lock_access
unless #authorized
# Redirect user...
end
end
def allow_manager_to(actions = [])
prepend_before_action only: actions do
#authorized = true if current_user_is_a_manager?
end
end
end
end
class ApplicationController < ActionController::Base
include AccessControl # Locked by default
# ...
end
class ProjectController < ApplicationController
allow_managers_to [:edit, :update] # Per-action access control
# ...
end
Take this example as pseudo-code, I haven't tested it.
Hope this helps.
I didn't like my previous solution using prepend_before_action, here is a nice implementation using ActionController callbacks
module AccessControl
extend ActiveSupport::Concern
class UnauthorizedException < Exception
end
class_methods do
define_method :access_control do |*names, &blk|
_insert_callbacks(names, blk) do |name, options|
set_callback(:access_control, :before, name, options)
end
end
end
included do
define_callbacks :access_control
before_action :deny_by_default
around_action :perform_if_access_granted
def perform_if_access_granted
run_callbacks :access_control do
if #access_denied and not #access_authorized
#request_authentication = true unless user_signed_in?
render(
file: File.join(Rails.root, 'app/views/errors/403.html'),
status: 403,
layout: 'error')
else
yield
end
end
end
def deny_by_default
#access_denied ||= true
end
def allow_access
#access_authorized = true
end
end
end
Then you can add your own allow_access_to_x methods (for example in the same AccessControl concern) :
def allow_access_to_participants_of(project)
return unless user_signed_in?
allow_access if current_user.in?(project.executants)
end
Use it in your controllers the following way (don't forget to include AccessControl in your ApplicationController
class ProjectsController < ApplicationController
access_control(only: [:show, :edit, :update]) do
set_project
allow_access_to_participants_of(#project)
allow_access_to_project_managers
end
def index; ...; end;
def show; ...; end;
def edit; ...; end;
def update; ...; end;
def set_project
#project = Project.find(params[:project_id])
end
end
EDIT : Outdated answer, I have a friendlier implementation that involves using an access_control block
Going with evanbikes suggestion, for now I'll be using prepend_before action. I find it quite simple & flexible, but if I ever realize it's not good enough I will try other things.
Also if you find security issues/other problems with the solution below, please comment and/or downvote. I don't like leaving bad examples in SO.
class ApplicationController < ApplicationController::Base
include AccessControl
before_filter :access_denied
...
My Access Control module
module AccessControl
extend ActiveSupport::Concern
included do
def access_denied(message: nil)
unless #authorized
flash.alert = 'Unauthorized access'
flash.info = "Authorized entities : #{#authorized_entities.join(', '}" if #authorized_entities
render 'static_pages/home', :status => :unauthorized
end
end
def allow_access_to_managers
(#authorized_entities ||= []) << "Project managers"
#authorized = true if manager_logged_in?
end
...
How I use the AC in controllers :
class ProjectController < ApplicationController
# In reverse because `prepend_` is LIFO
prepend_before_action(except: [:show, :index, :new, :create]) do |c|
c.allow_access_to_manager(#manager.administrateur)
end
prepend_before_action :find_manager, except: [:index, :new, :create]

How to write a CanCan rspec for a modeless controller?

I have a model group.rb and then a controller group_invitations.rb which is modeless.
GroupInvitationsController
before_filter :find_group_by_group_id
before_filter :authenticate_user!
before_filter :current_ability
authorize_resource :class => false
def current_ability
#current_ability ||= Ability.new(current_user, #group)
end
When I write a rspec for this:
it "should be able to create" do
ability = Ability.new(nil)
ability.should be_able_to(:create, GroupInvitation.new)
end
rspec then errors with:
NameError:
uninitialized constant GroupInvitation
How do I setup rspec to test this modeless controller? Thanks
You need to call #ability.should be_able_to(:create, :group_invitation). You can read about what is authorized when using a model-less controller in the documentation.
This is the relevant section:
class ToolsController < ApplicationController
authorize_resource :class => false
def show
# automatically calls authorize!(:show, :tool)
end
end

Testing a ApplicationController before_filter in Rails

I have an application that detects the subdomain on a request and sets the result to a variable.
e.g.
before_filter :get_trust_from_subdomain
def get_trust_from_subdomain
#selected_trust = "test"
end
How can I test this with Test::Unit / Shoulda? I don't see a way of getting into ApplicationController and seeing what's set...
The assigns method should allow you to query the value of #selected_trust. To assert that its value equals "test" as follows:
assert_equal 'test', assigns('selected_trust')
Given a controller foo_controller.rb
class FooController < ApplicationController
before_filter :get_trust_from_subdomain
def get_trust_from_subdomain
#selected_trust = "test"
end
def index
render :text => 'Hello world'
end
end
one might write a functional test as follows in foo_controller_test.rb:
class FooControllerTest < ActionController::TestCase
def test_index
get :index
assert #response.body.include?('Hello world')
assert_equal 'test', assigns('selected_trust')
end
end
Related to comment: note that the filter can be placed in ApplicationController and then any derived controller will also inherit this filter behaviour:
class ApplicationController < ActionController::Base
before_filter :get_trust_from_subdomain
def get_trust_from_subdomain
#selected_trust = "test"
end
end
class FooController < ApplicationController
# get_trust_from_subdomain filter will run before this action.
def index
render :text => 'Hello world'
end
end
ApplicationController is global, have you considered writing a Rack Middleware instead? Way easier to test.
I've opted for this in another controller in the application:
require 'test_helper'
class HomeControllerTest < ActionController::TestCase
fast_context 'a GET to :index' do
setup do
Factory :trust
get :index
end
should respond_with :success
should 'set the trust correctly' do
assert_equal 'test', assigns(:selected_trust)
end
end
end

Resources