On Sat, Feb 28, 2009 at 11:52 AM, Chris Flipse <cfli...@gmail.com> wrote: > I've been going back over some legacy code, backfilling tests, and I'm > encountering something that is causing no small amount of pain. This is in > a mature Rails app, that's lived and migrated from 1.1 through to 2.1, so > there's a lot of ancient cruft built up in the corners that I've been trying > to clean up. > > My question/pain point revolves around authorization. In at least two > different models in the system -- areas that are core to the functionality > -- there are models that run through a state transition. Only certain users > are allowed to make those transitions, however. You're basic "only an admin > can publish an article" kind of restrictions. > > These models show up across most of the app -- several different > controllers. As such, long, long ago, someone patched updated the site > authentication code to assign a User.current singleton inside the > login_required filter.
Unless I'm missing something, this seems like the problem is wider than testability. Let's say I log in. Right now I am User.current. Now you log in, and become User.current. Now I got to view some resource that I am not permitted to see, but I get to see it because you are permitted and YOU are the User.current. Am I missing something? > This is then used by several models, sometimes to > populate an updated_by stamp, sometimes it's actually used within a models > validations(!), and it's definately used within some of the state-transition > guards. > > Now, this is really just a global variable by another name, and it's pretty > well embedded after two years. I've come upon a whole bunch of different > pain points in trying to setup data (real data) within the cucumber steps > I've been backfilling. Lacking any support of injection, I end up doing a > lot of juggling of the User.current value, just to get some test data built > and in the right set of states ... and while I can bury the temporary > reassignments necessary inside a block, it still feels like it's an > intractable mess. > > I know *why* this was originally done -- to avoid having to pass User > objects around all the time, and it does _appear_ to keep the API clean -- > but the hidden dependancy isn't really clean. > > So, does anyone have any suggestions of how to easily manage model level > user authorization? > > -- > // anything worth taking seriously is worth making fun of > // http://blog.devcaffeine.com/ > > _______________________________________________ > rspec-users mailing list > rspec-users@rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users > _______________________________________________ rspec-users mailing list rspec-users@rubyforge.org http://rubyforge.org/mailman/listinfo/rspec-users
