Re: [rspec-users] [HELP]No :secret given to the #protect_from_forgery call

Sat, 15 Mar 2008 15:26:02 -0700 

I presume the feature is well tested in rails and disable it in the
test environment (which is done by default, I think).

# in config/environments/test.rb
# Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection    = false

-Mike

On Sat, Mar 15, 2008 at 2:26 PM, Scott Taylor
<[EMAIL PROTECTED]> wrote:
>
>
>  On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:
>
>  > I am starting to BDD. When specing the controller I want to test for
>  > object creation:
>  >
>  >   it "deberia crear una nueva persona en post create" do
>  >     Usuario.should_receive(:create).with({:nombre => "camilo", :clave
>  > => "secreta", :tipo => "administrador"}).and_return(@usuario)
>  >
>  >     post 'create', {:usuario => {:nombre => "camilo", :clave =>
>  > "secreta", :tipo => "administrador"}}
>  >   end
>  >
>  > But when I add this spec, I start getting this:
>  > 1)
>  > ActionController::InvalidAuthenticityToken in 'UsuarioController
>  > deberia crear una nueva persona en post create'
>  > No :secret given to the #protect_from_forgery call.  Set that or use a
>  > session store capable of generating its own keys (Cookie Session
>  > Store).
>  > ./spec/controllers/usuario_controller_spec.rb:30:
>  > script/spec:4:
>  >
>  > This is the only failure. Line 30 is the post "create".
>  >
>  > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
>  > vendor/plugins/rspec/CHANGES).
>  >
>  >
>  > I searched google for solutions, found this:
>  >
>  > http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html
>  >
>  > then I added
>  > @controller.class.protect_from_forgery :secret => "secretkey"
>  > in the before(:each) method. I put the same secret key I found in
>  > environment.rb. But now it gives me:
>  > ActionController::InvalidAuthenticityToken
>  >
>  > I am lost. Why this happens? should not work just fine from the rails
>  > default configuration?.
>  >
>  > I have not changed anything in the environment.rb nor application.rb.
>  > This is just a new project to learn BDD and RoR. Thanks for any clue
>  > to get this to work.
>  > _______________________________________________
>  > rspec-users mailing list
>  > rspec-users@rubyforge.org
>  > http://rubyforge.org/mailman/listinfo/rspec-users
>
>  I haven't tried any of this, but here's my guess:
>
>  One way to get this to work is to stub out protect_from_forgery:
>
>  controller.stub!(protect_from_forgery).and_return "foo"
>
>  The better question is: why would you intentionally remove a security
>  feature?
>
>  Scott
>
>
>
>
>
>
>  _______________________________________________
>  rspec-users mailing list
>  rspec-users@rubyforge.org
>  http://rubyforge.org/mailman/listinfo/rspec-users
>
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users

Reply via email to