Thanks Zach,
Your suggestion has put me back on track.
Cheers,
Omar
On 17 Nov 2008, at 00:13, Zach Dennis wrote:
On Sun, Nov 16, 2008 at 5:53 PM, Sahyoun <[EMAIL PROTECTED]> wrote:
Hello,
I'm specing a controller, but having trouble getting my head around
what
I've created.
I'm specing a products controller for an admin user. Two before
filters
check the user is logged in and authorized.
A logged-in user only has admin privileges within her own
subdomain. So,
sarah, when logged in
can only administer products at sarah.mysite.com/admin/products.
Since there are two account types that require authentication
(supplier and
customer),
the user model is polymorphic:
class User
belongs_to :allowable, :polymorphic => true
...
end
class Supplier
has_many :users, :as => :allowable
end
class Customer
has_one :user, :as => :allowable
end
A supplier has their own subdmain (sarah.mysite.com) and a customer
has a
profile page at mysite.com/people/joe.
When sarah is logged-in, I check she has permission to edit content
at
sarah.mysite.com with:
def authorized_resource?(resource)
current_user.allowable == resource
end
I would probably change this method so you are pushing the
responsibility onto your user. For example, I might change the
authorized_resourced method to look like:
def authorized_resource?(resource)
current_user.can_access?(resource)
end
Now in your example you can stub/expect the interaction with the user
object. Pushing this decision for who can access what really should
stay out of your controller. Even though the authorization check is
quite simple right now (ie: user.allowable == resource) this puts more
logic in your controller, makes it slightly harder to test and also
re-use.
Hope this helps,
Zach
'resource' being a supplier or customer object.
My mind is failing me trying to describe Admin::ProductsController:
http://pastie.org/316414
Both examples pass, but I'm not sure I understand exactly what I'm
doing. In
particular, can I make:
it "should send unauthorized user to home page" do
controller.should_receive(:authorized_resource?).and_return false
do_get
response.should redirect_to(home_path)
end
pass without stubbing the false return. How can I set up the mock
instances,
so that the controller method
'authorized_resource?' actually returns a false method. Any
guidance would
be much appreciated.
many thanks
Omar
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
--
Zach Dennis
http://www.continuousthinking.com
http://www.mutuallyhuman.com
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
