[rspec-users] Getting past my login system

Ryan Tucker rctucker at u.washington.edu
Tue Jul 17 02:45:08 EDT 2007


Daniel N wrote:
>
>
> On 7/17/07, *Ryan Tucker* <rctucker at u.washington.edu 
> <mailto:rctucker at u.washington.edu>> wrote:
>
>     Daniel N wrote:
>     >
>     >
>     > On 7/17/07, *Ryan Tucker* <rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     > <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>> wrote:
>     >
>     >     Daniel N wrote:
>     >     >
>     >     >
>     >     > On 7/17/07, *Ryan Tucker* <rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     >     <mailto: rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>
>     >     > <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     >     <mailto: rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>>> wrote:
>     >     >
>     >     >     Daniel N wrote:
>     >     >     >
>     >     >     >
>     >     >     > On 7/17/07, *Ryan Tucker* <
>     rctucker at u.washington.edu <mailto:rctucker at u.washington.edu>
>     >     <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>
>     >     >     <mailto: rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     >     <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>>
>     >     >     > <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     >     <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>
>     >     >     <mailto: rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     >     <mailto: rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>>>> wrote:
>     >     >     >
>     >     >     >     Ryan Tucker wrote:
>     >     >     >     > Thank you in advance for your help.  I am
>     relatively new
>     >     >     to both
>     >     >     >     Rails
>     >     >     >     > and Rspec and I am hoping for some insight
>     from some
>     >     >     experienced
>     >     >     >     veterans.
>     >     >     >     >
>     >     >     >     > Right now I am using Rspec for code that has
>     already
>     >     been
>     >     >     >     written so
>     >     >     >     > that additional functionality can be developed
>     using
>     >     the BDD
>     >     >     >     method. My
>     >     >     >     > problem shows up when I try to spec
>     controllers that are
>     >     >     behind the
>     >     >     >     > login system.  Each page checks for the
>     >     session[:user], and if
>     >     >     >     they do
>     >     >     >     > not exists, requires them to login.  Logging in is
>     >     handled
>     >     >     by one
>     >     >     >     > controller (the Admin controller) and I want
>     to access a
>     >     >     page under
>     >     >     >     > another controller (say a Students controller).
>     >     >     >     >
>     >     >     >     > In my students_controller_spec.rb, I want want to
>     >     make sure
>     >     >     >     > http://test.host/students is successfully
>     displayed,
>     >     so I
>     >     >     wrote
>     >     >     >     > something like:
>     >     >     >     >
>     >     >     >     >   it "should be successful" do
>     >     >     >     >     get :index
>     >     >     >     >     response.should be_success
>     >     >     >     >   end
>     >     >     >     >
>     >     >     >     > The problem is that is keeps redirecting to my
>     login
>     >     page at
>     >     >     >     > http://test.host/login.  I tried then setting
>     >     >     session[:user] and
>     >     >     >     doing a
>     >     >     >     > post to my login page to simulate a login so
>     that I
>     >     could
>     >     >     access the
>     >     >     >     > correct page, but that does not seem to
>     work.  I tried a
>     >     >     number of
>     >     >     >     > things, including the following:
>     >     >     >     >
>     >     >     >     > def do_login
>     >     >     >     >   @user = User.find(:first, :conditions =>
>     >     ['username = ?' ,
>     >     >     >     'ryan'] )
>     >     >     >     >   session[:user] = @ user.id <http://user.id>
>     <http://user.id>
>     >     <http://user.id> <http://user.id <http://user.id>>
>     >     >     >     >   post :login, :path => []
>     >     >     >     > end
>     >     >     >     >
>     >     >     >     > describe StudentsController do
>     >     >     >     >   it "should be successful" do
>     >     >     >     >     do_login
>     >     >     >     >     get :index
>     >     >     >     >     response.should be_success
>     >     >     >     >   end
>     >     >     >     > end
>     >     >     >     >
>     >     >     >     > This still results in being redirected to the
>     login
>     >     page at
>     >     >     >     > http://test.host/login when I want to go to
>     >     >     >     http://test.host/students.
>     >     >     >     > Also, I realize I am actually doing a call on
>     my test
>     >     >     database for
>     >     >     >     > this.  Part of the reason is that code that called
>     >     during
>     >     >     login
>     >     >     >     checks
>     >     >     >     > fields of a user.  The other reason is I could not
>     >     get it to
>     >     >     >     work using
>     >     >     >     > stubs, but that might just have been because I was
>     >     not using
>     >     >     >     them properly.
>     >     >     >     >
>     >     >     >     > Any insight will be helpful, thanks!
>     >     >     >     >
>     >     >     >     > -Ryan
>     >     >     >     > _______________________________________________
>     >     >     >     > rspec-users mailing list
>     >     >     >     > rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>
>     >     <mailto:rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>>
>     >     >     <mailto: rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>
>     >     <mailto:rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>>> <mailto:
>     >     >     rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>
>     <mailto:rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>>
>     >     <mailto:rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org> <mailto:
>     rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>>>>
>     >     >     >     > http://rubyforge.org/mailman/listinfo/rspec-users
>     >     >     >     >
>     >     >     >     Forgot one thing.
>     >     >     >
>     >     >     >     In trying to do the post, I get the error that
>     "No action
>     >     >     >     responded to
>     >     >     >     login" suggesting that I am not properly
>     accessing the
>     >     login
>     >     >     >     function in
>     >     >     >     my Admin controller.
>     >     >     >
>     >     >     >     Thanks again,
>     >     >     >     Ryan
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > Ryan, the login action is being called on
>     >     >     your  StudentsController and
>     >     >     > so it's not found.
>     >     >     >
>     >     >     > If it's the presence of the session[:user] that
>     tells the
>     >     >     > before_filter that your logged in, the you don't
>     need to
>     >     do the
>     >     >     post.
>     >     >     > In fact you shouldn't post, since as you found out
>     if you
>     >     post to
>     >     >     > login, your posting to the login action of the
>     controller your
>     >     >     > currently in.  Bad.  Your setting the session and you
>     >     shouldn't need
>     >     >     > to do any more.
>     >     >     >
>     >     >     > HTH
>     >     >     > Daniel
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >
>     >    
>     ------------------------------------------------------------------------
>     >     >
>     >     >     >
>     >     >     > _______________________________________________
>     >     >     > rspec-users mailing list
>     >     >     > rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>
>     >     <mailto:rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>>
>     >     <mailto:rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org>
>     <mailto:rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>>>
>     >     >     > http://rubyforge.org/mailman/listinfo/rspec-users
>     >     >     Thanks, Daniel.
>     >     >
>     >     >     That was my understanding as well, but, for some reason,
>     >     that has not
>     >     >     been enough.  The post was an attempt to simulate an
>     actual
>     >     login by
>     >     >     posting to another controller (I know it was bad...)
>     since just
>     >     >     setting
>     >     >     the session[:user] was not a success.  Thank you for your
>     >     help though.
>     >     >
>     >     >     Take care,
>     >     >     Ryan
>     >     >
>     >     >
>     >     > Can you post your before_filter method that checks if your
>     >     logged in?
>     >     >
>     >     > Also your login method in your Admin controller.
>     >     >
>     >     > Cheers
>     >     >
>     >     >
>     >     >
>     >     >
>     >    
>     ------------------------------------------------------------------------
>
>     >     >
>     >     > _______________________________________________
>     >     > rspec-users mailing list
>     >     > rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org> <mailto:
>     rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>>
>     >     > http://rubyforge.org/mailman/listinfo/rspec-users
>     >       #  The Logins are to track a users activity, and this
>     supports
>     >       # when a user wants to access a page and needs to login first,
>     >     sending
>     >     them to it after they login.
>     >       # Authenticate checks the username and password against
>     the username
>     >     and password in the
>     >       # database.
>     >       def login
>     >         if request.post?
>     >           if @current_user = User.authenticate(params[:username],
>     >     params[:password])
>     >             login = Login.create(:remote_ip =>
>     request.remote_ip.to_s,
>     >     :user_agent => request.user_agent.to_s , :http_vars =>
>     request.env)
>     >             @current_user.logins << login
>     >             session[:user] = @current_user.id
>     >             uri = session[:original_uri]
>     >             session[:original_uri] = nil
>     >             redirect_to uri || home_url
>     >             return
>     >           else
>     >             flash[:error] = "Access denied"
>     >           end
>     >         end
>     >
>     >         if session[:user]
>     >           redirect_to home_url
>     >           return false
>     >         end
>     >         set_page_title "Log In"
>     >       end
>     >
>     >       # This checks that there is a current user, and checks if they
>     >     are active
>     >       # In my case, I am keeping track of whether or not I have
>     disabled
>     >       # a user.  active?() returns true so long as they are have
>     not been
>     >     deactivated.
>     >       def check_authentication
>     >         unless @current_user and @current_user.active?
>     >           session[:original_uri] = request.request_uri
>     >           redirect_to log_in_url
>     >           return false
>     >         end
>     >         true
>     >       end
>     >
>     >
>     >     Thank you again for your help.
>     >
>     >
>     > I hope I can ;)
>     >
>     >     Take care,
>     >     Ryan
>     >
>     >
>     >
>     > Ok there's a fair bit of stuff going on in the login code.  It
>     doesn't
>     > seem that you've included your before_filter that checks to see if a
>     > user is logged in in your controller.
>     >
>     > Do you use a before_filter or some other method in the controller to
>     > check for logged in status?  Can you post the code that checks if a
>     > user is logged in for the controller.
>     >
>     > Cheers
>     > Daniel
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > rspec-users mailing list
>     > rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>
>     > http://rubyforge.org/mailman/listinfo/rspec-users
>
>     There is also a method that checks whether or not a user has
>     rights to
>     view a particular page as below.
>
>       def check_authorization
>         unless @current_user.superuser or
>           @current_rights.detect do |right|
>             right.action == action_name && right.controller ==
>     self.class.controller_path
>           end
>           flash[:warning] = "You are not authorized to view the page you
>     requested."
>           redirect_to home_url
>           return false
>         end
>       end
>
>
>     The @current_user is set in another method set_user().
>
>       def set_user
>         unless session[:user].nil?
>           begin
>             @current_user = User.find( session[:user], :include => [
>     :positions ] )
>             @user_preferences = @current_user.preferences || {}
>             @current_rights = @current_user.positions.collect do |pos|
>               pos.role.rights.collect
>             end.flatten.uniq
>           rescue
>             # Do nothing
>           end
>         end
>       end
>
>     So, login() sets the session[:user], set_user() sets the
>     @current_user
>     as well as the rights of the user and
>     check_authentication()/check_authorization() use the @current_user to
>     check whether or not a user is who they say they are (via password
>     verification) or view the page (via rights).
>
>     My apologies if this has been redundant. I did try reading through
>     other
>     posts before posting my own, but I guess I did not understand how to
>     apply what I read to what I have. I did attempt mocking a user
>     using the
>     method suggested by Scott, but got an error stating:
>     "Mock 'User_1000' received unexpected message :preferences wit (no
>     args)."
>
>     Perhaps it is because I am not doing that properly either, so I will
>     make sure I understand that a bit better first.
>
>     Thanks for everyone's help.
>
>     Take care,
>     Ryan
>
>
>
> Ok,  it seems to me that if you assign the  @current_user varaible and 
> stub it to return true on  the superuser method then everything should 
> be ok.
>
> def do_login
>   @user = mock_model( User, :id => 1 ) # Get yourself a user that you 
> can reference in your spec
>   @user.stub!( :superuser ).and_return( true )  # Short circuit the 
> check_authorization method to be a super user by default.  You can 
> override this in your individual behaviours.
>
>   session[:user] = @user.id <http://user.id>  # should short circuit 
> the set_user method.
>   assigns[ :current_user ] = @user # Set the current user
> end
>
> I think that should do it.  You might find you need to stub the @user 
> model a bit depending on what other methods are being called on it.
>
> HTH
> Daniel
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
Daniel,

Thank you so much.  I will see if I can make that works.  Thanks again 
for your time and effort!

Take care,
Ryan


More information about the rspec-users mailing list