using rails 3.1 here. i am having some problems with session variables in my integration test.
test "new registration" do
get "/user/sign_up?type=normal"
assert_response :success
assert_equal 'normal', session[:registration]
assert_template "user_registrations/new"
assert_difference('User.count', +1) do
post "/user", :user => {:email => "kjsdfkjksjdf#sdfsdf.com", :user_name => "lara", :password => "dfdfdfdfdfdf", :password_confirmation => "dfdfdfdfdfdf"}
end
assert_response :redirect
assert_template "user_registrations/new"
#user = User.find_by_user_name('lara')
assert_equal 'lara', #user.user_name
#user.confirm!
end
all of the assertions pass so thats good, but from what i can tell, session[:registration] is not getting passed when post to "/user".
in my create action in the user_registration controller:
if session[:registration] == "normal"
#user.role = "normal"
#user.status = "registering"
#user.save
else
#user.role = "fan"
#user.save
end
So when the user is created, #user.role = "fan", when it should be #user.role = "normal".
I cant seem to get that session variable to pass when i post. from what i understand, in the "new registration" test, all the session variables remain active as long as the test has not ended. am i wrong to assume that that session variable should be posted? any suggestions?
Related
After a factory girl create I have the following
it "should display the email of user if public" do
#user.update_attributes(:public_email => true)
# I have also tried
# #user.public_email = true
# and
# #user.toggle!(public_email)
#user.save
puts "EMAIL IS #{#user.public_email}"
get :show, :id => #user.id
response.should have_selector("dt", :content => "Email")
end
Rspec will print that "EMAIL IS true" but in the view, public_email is not true (I have <%= "User email is #{#user.public_email}." %> and that prints false).
All my other tests work as expected and it works fine in development.
Why is this happening?
EDIT:
This is my own fault. I was trying to avoid writing the line get :show, :id => #user.id a bunch of times, so I had another before(:each) do call after those tests, and I thought by listing it after them it would not count, but apparently it does.
I've been learning Rails 3 with Devise and, so far, seem to have it working quite well. I've got custom session & registration controllers, recaptcha is working and a signed-in user can upload an avatar via carrierwave, which is saved on S3. Pretty happy with my progress.
Now I'm writing Rspec tests. Not going so well! I have a reasonable User model test, but that's because I found it online (https://github.com/RailsApps/rails3-devise-rspec-cucumber/) and was able to add to it by following Michael Hartl's excellent "Ruby on Rails 3 Tutorial".
My real problem is controller test and integration tests, especially controller tests. Initially I thought I'd be able to convert the tests in Michael's book, and I have to a small degree, but it's slow progress and I seem to be constantly hitting my head against a brick wall - partly, I think, because I don't know Rspec and capybara so well (have made some very dumb mistakes) but also because I don't really understand Devise well enough and am wondering if Devise plays as nicely as it might with Rspec; I read somewhere that, because Devise is Rack based, it might not always work as one might expect with Rspec. Don't know if that's true or not?
I know some people will wonder why this might be necessary since Devise is a gem and therefore already tested but I've had a couple of instances where changes elsewhere have broken login or registration without me immediately realizing. I think a good set of controller & integration tests would have solved this.
If I was able to do this myself I would and I'd publish it for others but, so far, writing these tests has been extremely painful and I really need to move on to other things.
I'm sure I wouldn't be the only one who could use this. Anyone know of a such a suite of tests?
In response to Jesse's kind offer of help...
Here is my registrations_controller_spec. The comments in "should render the 'edit' page" show the sort of things I am struggling with. Also, "should create a user" has some things I've tried to test but not been able to:
require File.dirname(__FILE__) + '/../spec_helper'
describe Users::RegistrationsController do
include Devise::TestHelpers
fixtures :all
render_views
before(:each) do
#request.env["devise.mapping"] = Devise.mappings[:user]
end
describe "POST 'create'" do
describe "failure" do
before(:each) do
#attr = { :email => "", :password => "",
:password_confirmation => "", :display_name => "" }
end
it "should not create a user" do
lambda do
post :create, :user_registration => #attr
end.should_not change(User, :count)
end
it "should render the 'new' page" do
post :create, :user_registration => #attr
response.should render_template('new')
end
end
describe "success" do
before(:each) do
#attr = { :email => "user#example.com",
:password => "foobar01", :password_confirmation => "foobar01", :display_name => "New User" }
end
it "should create a user" do
lambda do
post :create, :user => #attr
response.should redirect_to(root_path)
#response.body.should have_selector('h1', :text => "Sample App")
#response.should have_css('h1', :text => "Sample App")
#flash[:success].should == "A message with a confirmation link has been sent to your email address. Please open the link to activate your account."
#response.should have_content "A message with a confirmation link has been sent to your email address. Please open the link to activate your account."
end.should change(User, :count).by(1)
end
end
end
describe "PUT 'update'" do
before(:each) do
#user = FactoryGirl.create(:user)
#user.confirm! # or set a confirmed_at inside the factory. Only necessary if you are using the confirmable module
sign_in #user
end
describe "Failure" do
before(:each) do
# The following information is valid except for display_name which is too long (max 20 characters)
#attr = { :email => #user.email, :display_name => "Test", :current_password => #user.password }
end
it "should render the 'edit' page" do
put :update, :id => subject.current_user, :user => #attr
# HAVE PUT THE DEBUGS THAT I'D LIKE TO GET WORKING FIRST
# Would like to be able to debug and check I'm getting the error(s) I'm expecting
puts subject.current_user.errors.messages # doesn't show me the errors
# Would like to be able to debug what html is being returned:
puts page.html # only return the first line of html
# Would like to be able to determine that this test is failing for the right reasons
response.should have_content "Display name is too long (maximum is 20 characters)" # doesn't work
response.should render_template('edit')
end
end
describe "Success" do
it "should change the user's display name" do
#attr = { :email => #user.email, :display_name => "Test", :current_password => #user.password }
put :update, :id => subject.current_user, :user => #attr
subject.current_user.reload
response.should redirect_to(root_path)
subject.current_user.display_name == #attr[:display_name]
end
end
end
describe "authentication of edit/update pages" do
describe "for non-signed-in users" do
before(:each) do
#user = FactoryGirl.create(:user)
end
describe "for non-signed-in users" do
it "should deny access to 'edit'" do
get :edit, :id => #user
response.should redirect_to(new_user_session_path)
end
it "should deny access to 'update'" do
put :update, :id => #user, :user => {}
response.should redirect_to(new_user_session_path)
end
end
end
end
end
Acording to Devise Wiki, controller tests have to be some kind of hibrid (unit + integration) tests. You have to create an instance of User (or you auth entity) in the database. Mocking Devise stuff is really hard, trust me.
Try this: How-To:-Controllers-and-Views-tests-with-Rails-3-and-rspec
With Cucumber, you can create a step that already do the login process.
Hope it helps.
OK, so a couple of things to make this work:
Here's how you should test that the body have specific text (you were missing the .body
response.body.should include "Display name is too long (maximum is 30 characters)"
You could also test that the #user has an error:
assigns[:user].errors[:display_name].should include "is too long (maximum is 30 characters)"
But, you do need to actually make the name be over 20/30 characters long, so I changed the attributes being posted to:
#attr = { :email => #user.email, :display_name => ("t" * 35), :current_password => #user.password }
https://gist.github.com/64151078628663aa7577
I'm trying to test a case in our Ruby on Rails system where we lock a user out after x failed login attempts. The issue I'm having is trying to create a user has reached the number that 'locks' his account. I am using Factories to create a user like so-
Factory.define :locked_user, :class => User do |user|
user.name "Test Lock"
user.email "lock#lock.com"
user.password "blah1234"
user.password_confirmation "blah1234"
user.login_count 5
end
Where 5 is the 'magic number'. When I try to use something like
#user = Factory(:locked_user)
It creates a user in the database- but newly created users always have login_count set to zero, so it just logs him in the test. When I try the .build method like so
#user = Factory.build(:locked_user)
It sets a user with login_count = 5 like I want, but then doesn't see the user as valid and won't try to log them in (ie, it gives us the 'bad user/password' error rather then 'right user/password but you are locked out' error). I guess I'm missing something here to get RSpec to pick up the fact that this is valid user but the account should be locked. Can someone help set me straight? Below is the entire desribe block-
describe "with locked account" do
before(:each) do
#user = Factory.build(:locked_user)
#attr = { :email => #user.email, :password => #user.password}
end
it "should not allow signin with locked account" do
post :create, :session => #attr
flash.now[:error].should =~ /Invalid user locked out/i
end
end
I would recommend you either set the login_count after creating the user, or stub the method that tells you if a user login is locked.
For instance, use update_attribute to force the login_count after the user has been created:
before(:each) do
#user = Factory(:user)
#user.update_attribute(:login_count, 5)
#attr = { :email => #user.email, :password => #user.password}
end
Or use stubs to stub out the locked_login?, or equivalent method:
before(:each) do
#user = Factory(:user)
#user.stub(:locked_login?).and_return(true)
#attr = { :email => #user.email, :password => #user.password}
end
I'm writing an integration test to make sure my webapp isn't vulnerable to session fixation.
I have manually verified that reset_session is actually firing in the authentication logic, and further that the cookie does indeed change when I log in with my web browser (so, I'm not vulnerable to session fixation anymore), but I can't get my RSpec integration test to successfully verify this.
Here is my RSpec integration test.
require 'spec_helper'
describe "security" do
self.use_transactional_fixtures = false
append_after(:each) do
ALL_MODELS.each &:delete_all
end
describe "session fixation" do
it "should change the cookie session id after logging in" do
u = test_user :active_user => true,
:username => "nobody#example.com",
:password => "asdfasdf"
u.save!
https!
get_via_redirect "/login"
assert_response :success
cookie = response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip
post_via_redirect "/login", "user[email]" => "nobody#example.com",
"user[password]" => "asdfasdf",
"user[remember_me]" => "1"
assert_response :success
path.should eql("/dashboard")
cookie.should_not eql(response.header["Set-Cookie"].split(";").select{|x| x.match(/_session/)}[0].split("=")[1].strip)
end
end
end
Everything works except for the very last assert. The cookie doesn't change.
Are there any known issues with RSpec/Rails integration tests where reset_session doesn't work as expected? What can I do to write a test that verifies session fixation is not an issue?
So I eventually did end up figuring this out.
I was trying to edit the response header directly to test cookies, but I guess that's not the blessed way.
In integration tests with Rails 2.x anyway, there's a cookies hash that you can use. Here's what the test ended up looking like:
u = test_user :active_user => true,
:username => "nobody#example.com",
:password => "asdfasdf"
u.save!
https!
get_via_redirect "/login"
assert_response :success
cookie = cookies['_session']
cookie.should be_present
path.should == "/login"
post_via_redirect "/login", "user[email]" => "nobody#example.com",
"user[password]" => "asdfasdf",
"user[remember_me]" => "1"
assert_response :success
path.should eql("/?login_success=1")
new_cookie = cookies['_session']
new_cookie.should be_present
cookie.should_not eql(new_cookie)
--preface: ignore if you want.
I'm new to rails, and working on a project that will require user authentication.
I found this tutorial and have been trying to go through it and understand what's happening. Of course, it's not exactly what I need as-is, so I've been modifying as I go along. The tutorial is also out of date in some areas, so of course I've had to update my code. So part of my problem is that I'm not sure if the bug is in my modifications, or some function that's been deprecated, or what.
--the question
This is the (simplest) test that fails. (" expected to not be nil" on the first assert statement.)
def test_authentication
#check we can log in
post :login, :user => { :username => "bob", :password => "test" }
assert_not_nil session[:user_id]
assert_equal users(:bob).id, session[:user_id]
assert_response :redirect
assert_redirected_to :action => 'welcome'
end
It calls the user_controller action login:
def login
if request.post?
if session[:user_id] = User.authenticate(params[:user][:username], params[:user][:password])
flash[:message] = "Login succeeded!"
redirect_to_stored
else
flash[:warning] = "Login failed."
end
end
end
which calls the User method authenticate. I know that authenticate works properly, however, because I have a single test that does pass:
def test_registration
#check that we can register and are logged in automatically
post :register, :user => { :username => "newuser", :password => "pass", :password_confirmation => "pass", :email => "newuser#web.com" }
assert_response :redirect
assert_not_nil session[:user_id]
assert_redirected_to :action => 'welcome'
end
which calls the user_controller action register
def register
#user = User.new(params[:user])
if request.post?
if #user.save
session[:user_id] = User.authenticate(#user.username, #user.password)
flash[:message] = "Registration succeeded"
redirect_to :action => 'welcome'
end
else
flash[:warning] = "Registration failed"
end
end
which successfully calls authenticate.
the users fixture has one relevant record:
bob:
username: bob
email: bob#mcbob.com
hashed_password: 77a0d943cdbace52716a9ef9fae12e45e2788d39 # test
salt: 1000
I've tested the hashed password and salt - "test" is the correct password.
So by my analysis, the bug has got to be in one of 3 places:
how I'm sending my post request,
how I'm accessing the parameters in the login action,
or some aspect of the fixture loading.
(originally I was using the tutorial's code to load the fixture explicitly (self.use_instantiated_fixtures = true; fixtures :users), but I read that all fixtures are automatically loaded before testing, so I took it out. That didn't change a thing.)
Of course, since I can't seem to find the problem in those areas, it could just as well be anywhere else.
Is it possible that there's a filter that is preventing your action getting called? If there's a general :before_filter => 'login_required' then you might not be reaching your login functionality at all. (Though admittedly the register action would have to be excluded for that test to pass)
In cases like this it's useful to stick some logging in (or run through a debugger) to see whether you even get to the part of the method that you think is failing. If it were me I'd stick a logger.debug("...") as the first line of the login method and then another after the check for request.post? and then another after the authentication check.