`
peryt
  • 浏览: 55294 次
  • 来自: ...
最近访客 更多访客>>
社区版块
存档分类
最新评论
  • waiting: 既然都指定了dataType为'script'那就不必特别在b ...
    jQuery

10.2 protect pages.

 
阅读更多

 

again, we will start from TDD!!!

 

 

1. since both edit and update need the same authentication, we can put their test together:

  describe "authentication of edit/update pages" do
    before(:each) do
      @user = Factory(:user)
    end
    describe "for not signed-in users" do
      it "should redirect to sign in page" do
        get :edit, :id => @user
        response.should redirect_to signin_path
      end
      it "should deny access to update" do
        put :update, :id => @user, :user => {}
        response.should redirect_to signin_path
      end
    end
  end
 
2. we will add before_filter to user controller to make this test pass:
class UsersController < ApplicationController
  before_filter :authenticate, :only => [:edit, :update]
  .
  private

    def authenticate
      deny_access unless signed_in?
    end
end
 
we still need to define the deny_access method, since it is kind of authentication, I'll put it into session helper:

def deny_access
  redirect_to signin_path, :notice => "please sign in first."
end
 note, this line of code is equivalent with two
flash[:notice] = ""
redirect_to signin_path
 you can also use:
redirect_to signin_path, :alert => "fdsfdsfsdf"
 but you can't use :success or :error in this contruction.

3. except need of user to sign in, we still need to make sure current user can't edit other user info.

start from TDD again!!!
describe UsersController do
  render_views
  .
  .
  .
  describe "authentication of edit/update pages" do
    .
    .
    .
    describe "for signed-in users" do

      before(:each) do
        wrong_user = Factory(:user, :email => "user@example.net")
        test_sign_in(wrong_user)
      end

      it "should require matching users for 'edit'" do
        get :edit, :id => @user
        response.should redirect_to(root_path)
      end

      it "should require matching users for 'update'" do
        put :update, :id => @user, :user => {}
        response.should redirect_to(root_path)
      end
    end
  end
end
 
4. now to make the test pass, we need to add a new before filter to user controller.
class UsersController < ApplicationController
  before_filter :authenticate, :only => [:edit, :update]
  before_filter :correct_user, :only => [:edit, :update]
  .
  .
  .
  def edit
    @title = "Edit user"
  end
  .
  .
  .
  private

    def authenticate
      deny_access unless signed_in?
    end

    def correct_user
      @user = User.find(params[:id])
      redirect_to(root_path) unless current_user?(@user)
    end
end
 
module SessionsHelper
  .
  .
  .
  def current_user?(user)
    user == current_user
  end

  def deny_access
    redirect_to signin_path, :notice => "Please sign in to access this page."
  end

  private
    .
    .
    .
end
 
now we have make our site very safe.

5. now we are doing some useful thing:

if a unsigned in user try to visit a protected page, he is redirected to the sign in page, then after he sign in, he is always redirected to the profile page, what we want is to redirect the user to the page he was trying to visit.

this is a very good work flow to be tested by the integration test!

so let's write a integration test for this flow first.
require 'spec_helper'

describe "FriendlyForwardings" do

  it "should forward to the requested page after signin" do
    user = Factory(:user)
    visit edit_user_path(user)
    # The test automatically follows the redirect to the signin page.
    fill_in :email,    :with => user.email
    fill_in :password, :with => user.password
    click_button
    # The test follows the redirect again, this time to users/edit.
    response.should render_template('users/edit')
  end
end
 
you may wondering, why I use 
should render_template()
instead of 
should redirect_to()

because, in integration test, it will follow the redirect, so response.should redirect_to will not work.

6. next, we will do the implementation to make the test pass.
how do we do this?
a. since http is stateless, we have to use session to store the requested url in last request, then get it from session in the new request.(the things in session will expire when browser close.)
b. we will use the request object to get the url.

module SessionsHelper
  .
  .
  .
  def deny_access
    store_location
    redirect_to signin_path, :notice => "Please sign in to access this page."
  end

  def redirect_back_or(default)
    redirect_to(session[:return_to] || default)
    clear_return_to
  end

  private
    .
    .
    .
    def store_location
      session[:return_to] = request.fullpath
    end

    def clear_return_to
      session[:return_to] = nil
    end
end
 



分享到:
评论

相关推荐

    oracle10G 10.2.0.5.19 补丁集 p20299014 linux hp-ux aix

    oracle10G 10.2.0.5.19 补丁集 p20299014 linux hp-ux aix linux 64 10.2.0.5.19补丁集,4个包。 http://download.csdn.net/detail/iaihah/9545156 http://download.csdn.net/detail/iaihah/9545166 ...

    ojdbc14-10.2.0.1.0.jar和ojdbc14-10.2.0.1.0.jar安装到本地仓库说明

    Oracle数据库的驱动包,阿里云maven镜像服务器上没有这个,下载后需要手动导包,里面有ojdbc14-10.2.0.1.0.jar和ojdbc14-10.2.0.1.0.jar安装到本地仓库说明。

    ojdbc14-10.2.0.2.0.jar.zip

    标题中的"ojdbc14-10.2.0.2.0.jar.zip"是一个包含Oracle JDBC驱动程序的压缩文件,主要用于在Java应用程序中连接到Oracle数据库。Oracle JDBC驱动程序,也称为Oracle Thin Driver,是Java开发人员用来与Oracle数据库...

    ojdbc14-10.2.0.3.0.jar.zip

    Oracle JDBC驱动程序是Java应用程序与Oracle数据库之间通信的桥梁,ojdbc14-10.2.0.3.0.jar是Oracle公司为Java开发者提供的一款特定版本的JDBC驱动程序,用于支持Java应用程序连接Oracle数据库。这个版本的驱动对应...

    BlueSoleil_千月蓝牙10.2.497.0开心版

    BlueSoleil_千月蓝牙10.2.497.0开心版,安装后就可以开心的使用了。压缩包内有安装说明,建议安装后进设置关闭界面上的广告,这样看起来就更加舒心了。推荐给你使用。

    ojdbc14-10.2.0.4.0.jar

    Oracle JDBC驱动程序是Java应用程序与Oracle数据库之间通信的桥梁,ojdbc14-10.2.0.4.0.jar文件就是Oracle公司为Java开发者提供的一个特定版本的JDBC驱动包。这个版本对应于Oracle数据库10g的某个更新集,确保了Java...

    ojdbc14-10.2.0.3.0.jar

    标题中的"ojdbc14-10.2.0.3.0.jar"是指Oracle JDBC驱动的一个特定版本,这是Oracle数据库与Java应用程序进行交互的重要组件。Oracle JDBC驱动程序允许Java开发者编写程序,以便连接到Oracle数据库,执行SQL查询,...

    oracle数据驱动包:ojdbc14-10.2.0.3.0.jar

    Oracle 数据驱动包 `ojdbc14-10.2.0.3.0.jar` 是 Oracle 公司为 Java 应用程序提供的一种用于连接 Oracle 数据库的关键组件。Oracle JDBC (Java Database Connectivity) 驱动允许 Java 程序通过 JDBC API 与 Oracle ...

    ojdbc14-10.2.0.5.0.jar驱动.rar

    ojdbc14-10.2.0.5.0.jar驱动是一款专为Oracle数据库设计的Java JDBC驱动程序,主要用于帮助Java应用程序与Oracle数据库进行通信。Oracle JDBC驱动分为多个版本,其中ojdbc14是针对JDBC 3.0规范的一个版本,适用于...

    最新 flash debug 10.2.152.26

    flashplayer_10_ax_debug10.2.152.26.exe flashplayer_10_plugin_debug10.2.152.26.exe uninstall_flash_player10.2.152.26.exe

    Win10Pcap-v10.2-5002.msi.7z

    "Win10Pcap-v10.2-5002.msi" 是专门为解决此问题而提供的Win10版本的PCAP驱动程序。 PCAP(Packet Capture)是网络数据包捕获库,它为Wireshark和其他网络分析工具提供底层接口,以便能够读取和写入网络流量。在...

    oracle jdbc驱动 ojdbc14-10.2.0.4.0.jar

    &lt;version&gt;10.2.0.4.0 安装到仓库 mvn install:install-file -DgroupId=com.oracle -DartifactId=ojdbc14 -Dversion=10.2.0.4.0 -Dpackaging=jar -Dfile=D:\download\ojdbc14-10.2.0.4.0.jar

    com.adobe.flashplayer-10.2.156.12

    com.adobe.flashplayer-10.2.156.12.apk

    Embarcadero.Delphi.10.2.Activator.v14.0

    Embarcadero.Delphi.10.2.Activator.v14.0

    Autodesk Licensing Service Update-10.2.0.4231.zip

    下载并解压缩 Autodesk Licensing Service - 10.2.0.4231 安装程序文件。 右键单击 AdskLicensing-installer.exe 文件,然后转到“属性”&gt;“常规”选项卡。 重要信息:如果窗口底部显示“安全”部分(如以下屏幕截图...

    instantclient-basic-win32-10.2.0.5.zip

    标题 "instantclient-basic-win32-10.2.0.5.zip" 指的是 Oracle Instant Client 的一个特定版本,适用于 Windows 32 位操作系统。Oracle Instant Client 是 Oracle 公司提供的一套轻量级软件包,它允许应用程序在不...

    ojdbc14-10.2.0.3.0.zip

    "ojdbc14-10.2.0.3.0.zip"是一个包含Oracle JDBC驱动的压缩文件,其版本号为10.2.0.3.0,这是Oracle 10g Release 2 (10.2)的一部分。在这个压缩包中,主要的文件是"ojdbc14-10.2.0.3.0.jar",它是JDBC驱动的实现。 ...

Global site tag (gtag.js) - Google Analytics