[rspec-users] Specify attr_protected

Jed Hurt jed.hurt at gmail.com
Wed May 30 23:45:21 EDT 2007


Hmmm.... scratch that. I actually had a typo in my code. After
correcting the typo, It looks like the code is trying to literally
call @order.attribute rather than @order.id, @order.total, etc...

Is eval the best option?

eval("@order.#{attribute}.should_not == 'hax0rz'")

On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> Wow. It does work. I didn't even bother to try it because I figured
> that calling 'it' inside of the 'each' block would not be the same as
> calling 'it' directly inside of the 'describe' block. I've never
> actually written a method that yields to a block. I'm still trying to
> fit into my Rubyist pants.
>
> So Ruby actually yields down into the 'each' block from the parent
> 'describe' block?
>
> On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > This is kind of a two part question.
> > >
> > > Question One: I want to be sure that an Order model is protecting
> > > sensitive attributes from mass assignment.
> > >
> > > The example looks like this:
> > >
> > > describe Order do
> > >   it "should protect total attribute from mass assignment" do
> > >     @order = Order.new(:total => 0.05)
> > >     @order.total.should_not == 0.05
> > >   end
> > > end
> > >
> > > And the code to implement it:
> > >
> > > class Order < ActiveRecord::Base
> > >   attr_protected :total
> > > end
> > >
> > >
> > > It seems to work, but is there a better way? Not saying that this way
> > > is bad, just that I'm very green :)
> >
> > This seems pretty good to me. You're not cluttering up the example
> > with what the value of total IS - just what it is not, which is the
> > thing you're interested in.
> >
> > >
> > >
> > > Question Two: I actually have a bunch of attributes that need to be
> > > protected. Rather than hand-writing a call to the 'it' method for each
> > > attribute, could I just loop over an array of attributes that need to
> > > be checked and programatically define the 'it' calls?
> > >
> > > Pseudo-code:
> > >
> > > describe Order do
> > >   [:total, :id, :customer_ip, :status, :error_message, :updated_at,
> > > :created_at, :finalize, :tax, :shipping].each do |attribute|
> > >     it "should protect #{attribute} attributes from mass assignment" do
> > >       @order = Order.new(attribute => 'hax0rz')
> > >       @order.attribute.should_not == 'hax0rz'
> > >     end
> > >   end
> > > end
> > >
> > > What would the actual implementation look like?
> >
> > I think it would look exactly like what you wrote. Have you tried it?
> > _______________________________________________
> > rspec-users mailing list
> > rspec-users at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/rspec-users
> >
>


More information about the rspec-users mailing list