I presume the feature is well tested in rails and disable it in the
test environment (which is done by default, I think).
# in config/environments/test.rb
# Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false
-Mike
On Sat, Mar 15, 2008 at 2:26 PM, Scott Taylor
<[EMAIL PROTECTED]> wrote:
>
>
> On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:
>
> > I am starting to BDD. When specing the controller I want to test for
> > object creation:
> >
> > it "deberia crear una nueva persona en post create" do
> > Usuario.should_receive(:create).with({:nombre => "camilo", :clave
> > => "secreta", :tipo => "administrador"}).and_return(@usuario)
> >
> > post 'create', {:usuario => {:nombre => "camilo", :clave =>
> > "secreta", :tipo => "administrador"}}
> > end
> >
> > But when I add this spec, I start getting this:
> > 1)
> > ActionController::InvalidAuthenticityToken in 'UsuarioController
> > deberia crear una nueva persona en post create'
> > No :secret given to the #protect_from_forgery call. Set that or use a
> > session store capable of generating its own keys (Cookie Session
> > Store).
> > ./spec/controllers/usuario_controller_spec.rb:30:
> > script/spec:4:
> >
> > This is the only failure. Line 30 is the post "create".
> >
> > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
> > vendor/plugins/rspec/CHANGES).
> >
> >
> > I searched google for solutions, found this:
> >
> > http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html
> >
> > then I added
> > @controller.class.protect_from_forgery :secret => "secretkey"
> > in the before(:each) method. I put the same secret key I found in
> > environment.rb. But now it gives me:
> > ActionController::InvalidAuthenticityToken
> >
> > I am lost. Why this happens? should not work just fine from the rails
> > default configuration?.
> >
> > I have not changed anything in the environment.rb nor application.rb.
> > This is just a new project to learn BDD and RoR. Thanks for any clue
> > to get this to work.
> > _______________________________________________
> > rspec-users mailing list
> > [email protected]
> > http://rubyforge.org/mailman/listinfo/rspec-users
>
> I haven't tried any of this, but here's my guess:
>
> One way to get this to work is to stub out protect_from_forgery:
>
> controller.stub!(protect_from_forgery).and_return "foo"
>
> The better question is: why would you intentionally remove a security
> feature?
>
> Scott
>
>
>
>
>
>
> _______________________________________________
> rspec-users mailing list
> [email protected]
> http://rubyforge.org/mailman/listinfo/rspec-users
>
_______________________________________________
rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users
