Re: [rspec-users] [HELP]No :secret given to the #protect_from_forgery call

Sat, 15 Mar 2008 12:26:36 -0700 

On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:

> I am starting to BDD. When specing the controller I want to test for
> object creation:
>
>   it "deberia crear una nueva persona en post create" do
>     Usuario.should_receive(:create).with({:nombre => "camilo", :clave
> => "secreta", :tipo => "administrador"}).and_return(@usuario)
>
>     post 'create', {:usuario => {:nombre => "camilo", :clave =>
> "secreta", :tipo => "administrador"}}
>   end
>
> But when I add this spec, I start getting this:
> 1)
> ActionController::InvalidAuthenticityToken in 'UsuarioController
> deberia crear una nueva persona en post create'
> No :secret given to the #protect_from_forgery call.  Set that or use a
> session store capable of generating its own keys (Cookie Session
> Store).
> ./spec/controllers/usuario_controller_spec.rb:30:
> script/spec:4:
>
> This is the only failure. Line 30 is the post "create".
>
> I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
> vendor/plugins/rspec/CHANGES).
>
>
> I searched google for solutions, found this:
>
> http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html
>
> then I added
> @controller.class.protect_from_forgery :secret => "secretkey"
> in the before(:each) method. I put the same secret key I found in
> environment.rb. But now it gives me:
> ActionController::InvalidAuthenticityToken
>
> I am lost. Why this happens? should not work just fine from the rails
> default configuration?.
>
> I have not changed anything in the environment.rb nor application.rb.
> This is just a new project to learn BDD and RoR. Thanks for any clue
> to get this to work.
> _______________________________________________
> rspec-users mailing list
> rspec-users@rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users

I haven't tried any of this, but here's my guess:

One way to get this to work is to stub out protect_from_forgery:

controller.stub!(protect_from_forgery).and_return "foo"

The better question is: why would you intentionally remove a security  
feature?

Scott




_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users

Reply via email to