[rspec-users] rspec-rails how to selectively turn on csrf protection for controller specs?

nruth nick.rutherford at gmail.com
Thu Jul 8 12:36:00 EDT 2010


I'm setting up a Paypal IPN listener and need the create action to not
use rails' default CSRF protection.

I've got that working fine & test it actually works with cucumber
(where I've turned CSRF back on, since it's full-stack testing) but
would like my controller spec to mention the need for
protect_from_forgery :except => [:create] (and fail when it's not
set).

I've not had any luck with telling the controller or
ActionController::Base to use forgery protection in the spec and am a
bit stuck.

Has anyone done this before, or do any of these look possible:

 * reload the rails app for part of the spec, using a different rails
initializer (i.e. without
config.action_controller.allow_forgery_protection    = false as in
environments/test.rb)
 * tell the controller to use forgery protection despite it being
turned off in the rails test environment config (haven't had any luck
with this so far).
 * have some specs split off from the main specs which run in a
different rails environment, e.g. test-with-csrf rather than test.

versions: rails 2.3.8, rspec 1.3.0, rspec-rails 1.3.2

Any help or pointers to old topics would be greatly appreciated,
google made this look a bit unexplored beyond "rails fixes csrf by
default, turn off in tests".

Cheers
Nick


More information about the rspec-users mailing list