[rspec-users] rspec-rails how to selectively turn on csrf protection for controller specs?

Wincent Colaiuta win at wincent.com
Thu Jul 8 13:15:52 EDT 2010

El 08/07/2010, a las 18:36, nruth escribió:

> I'm setting up a Paypal IPN listener and need the create action to not
> use rails' default CSRF protection.
> I've got that working fine & test it actually works with cucumber
> (where I've turned CSRF back on, since it's full-stack testing) but
> would like my controller spec to mention the need for
> protect_from_forgery :except => [:create] (and fail when it's not
> set).
> I've not had any luck with telling the controller or
> ActionController::Base to use forgery protection in the spec and am a
> bit stuck.
> Has anyone done this before, or do any of these look possible:
> * reload the rails app for part of the spec, using a different rails
> initializer (i.e. without
> config.action_controller.allow_forgery_protection    = false as in
> environments/test.rb)
> * tell the controller to use forgery protection despite it being
> turned off in the rails test environment config (haven't had any luck
> with this so far).
> * have some specs split off from the main specs which run in a
> different rails environment, e.g. test-with-csrf rather than test.
> versions: rails 2.3.8, rspec 1.3.0, rspec-rails 1.3.2
> Any help or pointers to old topics would be greatly appreciated,
> google made this look a bit unexplored beyond "rails fixes csrf by
> default, turn off in tests".

I think Cucumber is the right level to test this at. But if you really, really want to test it at the RSpec level, take a look at what the protect_from_forgery method actually does:


It boils down to this:

  before_filter :verify_authenticity_token, options

So you could introspect the controller and ask it what its before_filters are, and see if "verify_authenticity_token" is present or absent. But I fear it would require some ugly hacking via instance_variable_get, which is why I say that Cucumber is the right level to test this sort of thing on.


More information about the rspec-users mailing list