[rspec-users] Specify attr_protected

David Chelimsky dchelimsky at gmail.com
Thu May 31 00:02:13 EDT 2007


On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > Hmmm.... scratch that. I actually had a typo in my code. After
> > > correcting the typo, It looks like the code is trying to literally
> > > call @order.attribute rather than @order.id, @order.total, etc...
> > >
> > > Is eval the best option?
> > >
> > > eval("@order.#{attribute}.should_not == 'hax0rz'")
> >
> > That, or (I think):
> >
> > (@order.send attribute).should)_not == hax0rz'
> >
>
> Sorry - typo - this:
>
> (@order.send attribute).should_not == hax0rz'

UGH - one more time:

(@order.send attribute).should_not == 'hax0rz'


>
> >
> > >
> > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > > Wow. It does work. I didn't even bother to try it because I figured
> > > > that calling 'it' inside of the 'each' block would not be the same as
> > > > calling 'it' directly inside of the 'describe' block. I've never
> > > > actually written a method that yields to a block. I'm still trying to
> > > > fit into my Rubyist pants.
> > > >
> > > > So Ruby actually yields down into the 'each' block from the parent
> > > > 'describe' block?
> > > >
> > > > On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> > > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > > > > This is kind of a two part question.
> > > > > >
> > > > > > Question One: I want to be sure that an Order model is protecting
> > > > > > sensitive attributes from mass assignment.
> > > > > >
> > > > > > The example looks like this:
> > > > > >
> > > > > > describe Order do
> > > > > >   it "should protect total attribute from mass assignment" do
> > > > > >     @order = Order.new(:total => 0.05)
> > > > > >     @order.total.should_not == 0.05
> > > > > >   end
> > > > > > end
> > > > > >
> > > > > > And the code to implement it:
> > > > > >
> > > > > > class Order < ActiveRecord::Base
> > > > > >   attr_protected :total
> > > > > > end
> > > > > >
> > > > > >
> > > > > > It seems to work, but is there a better way? Not saying that this way
> > > > > > is bad, just that I'm very green :)
> > > > >
> > > > > This seems pretty good to me. You're not cluttering up the example
> > > > > with what the value of total IS - just what it is not, which is the
> > > > > thing you're interested in.
> > > > >
> > > > > >
> > > > > >
> > > > > > Question Two: I actually have a bunch of attributes that need to be
> > > > > > protected. Rather than hand-writing a call to the 'it' method for each
> > > > > > attribute, could I just loop over an array of attributes that need to
> > > > > > be checked and programatically define the 'it' calls?
> > > > > >
> > > > > > Pseudo-code:
> > > > > >
> > > > > > describe Order do
> > > > > >   [:total, :id, :customer_ip, :status, :error_message, :updated_at,
> > > > > > :created_at, :finalize, :tax, :shipping].each do |attribute|
> > > > > >     it "should protect #{attribute} attributes from mass assignment" do
> > > > > >       @order = Order.new(attribute => 'hax0rz')
> > > > > >       @order.attribute.should_not == 'hax0rz'
> > > > > >     end
> > > > > >   end
> > > > > > end
> > > > > >
> > > > > > What would the actual implementation look like?
> > > > >
> > > > > I think it would look exactly like what you wrote. Have you tried it?
> > > > > _______________________________________________
> > > > > rspec-users mailing list
> > > > > rspec-users at rubyforge.org
> > > > > http://rubyforge.org/mailman/listinfo/rspec-users
> > > > >
> > > >
> > > _______________________________________________
> > > rspec-users mailing list
> > > rspec-users at rubyforge.org
> > > http://rubyforge.org/mailman/listinfo/rspec-users
> > >
> >
>


More information about the rspec-users mailing list