On Sun, Nov 16, 2008 at 5:53 PM, Sahyoun <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm specing a controller, but having trouble getting my head around what
> I've created.
>
> I'm specing a products controller for an admin user. Two before filters
> check the user is logged in and authorized.
> A logged-in user only has admin privileges within her own subdomain. So,
> sarah, when logged in
> can only administer products at sarah.mysite.com/admin/products.
>
> Since there are two account types that require authentication (supplier and
> customer),
> the user model is polymorphic:
>
> class User
> belongs_to :allowable, :polymorphic => true
> ...
> end
>
> class Supplier
> has_many :users, :as => :allowable
> end
>
>
> class Customer
> has_one :user, :as => :allowable
> end
>
> A supplier has their own subdmain (sarah.mysite.com) and a customer has a
> profile page at mysite.com/people/joe.
>
> When sarah is logged-in, I check she has permission to edit content at
> sarah.mysite.com with:
>
> def authorized_resource?(resource)
> current_user.allowable == resource
> end
I would probably change this method so you are pushing the
responsibility onto your user. For example, I might change the
authorized_resourced method to look like:
def authorized_resource?(resource)
current_user.can_access?(resource)
end
Now in your example you can stub/expect the interaction with the user
object. Pushing this decision for who can access what really should
stay out of your controller. Even though the authorization check is
quite simple right now (ie: user.allowable == resource) this puts more
logic in your controller, makes it slightly harder to test and also
re-use.
Hope this helps,
Zach
>
> 'resource' being a supplier or customer object.
>
> My mind is failing me trying to describe Admin::ProductsController:
>
> http://pastie.org/316414
>
> Both examples pass, but I'm not sure I understand exactly what I'm doing. In
> particular, can I make:
>
> it "should send unauthorized user to home page" do
> controller.should_receive(:authorized_resource?).and_return false
> do_get
> response.should redirect_to(home_path)
> end
>
>
> pass without stubbing the false return. How can I set up the mock instances,
> so that the controller method
> 'authorized_resource?' actually returns a false method. Any guidance would
> be much appreciated.
>
> many thanks
>
> Omar
>
>
> _______________________________________________
> rspec-users mailing list
> rspec-users@rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>
--
Zach Dennis
http://www.continuousthinking.com
http://www.mutuallyhuman.com
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
