This is kind of a two part question.
Question One: I want to be sure that an Order model is protecting
sensitive attributes from mass assignment.
The example looks like this:
describe Order do
it "should protect total attribute from mass assignment" do
@order = Order.new(:total => 0.05)
@order.total.should_not == 0.05
end
end
And the code to implement it:
class Order < ActiveRecord::Base
attr_protected :total
end
It seems to work, but is there a better way? Not saying that this way
is bad, just that I''m very green :)
Question Two: I actually have a bunch of attributes that need to be
protected. Rather than hand-writing a call to the ''it'' method
for each
attribute, could I just loop over an array of attributes that need to
be checked and programatically define the ''it'' calls?
Pseudo-code:
describe Order do
[:total, :id, :customer_ip, :status, :error_message, :updated_at,
:created_at, :finalize, :tax, :shipping].each do |attribute|
it "should protect #{attribute} attributes from mass assignment"
do
@order = Order.new(attribute => ''hax0rz'')
@order.attribute.should_not == ''hax0rz''
end
end
end
What would the actual implementation look like?
On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:> This is kind of a two part question. > > Question One: I want to be sure that an Order model is protecting > sensitive attributes from mass assignment. > > The example looks like this: > > describe Order do > it "should protect total attribute from mass assignment" do > @order = Order.new(:total => 0.05) > @order.total.should_not == 0.05 > end > end > > And the code to implement it: > > class Order < ActiveRecord::Base > attr_protected :total > end > > > It seems to work, but is there a better way? Not saying that this way > is bad, just that I''m very green :)This seems pretty good to me. You''re not cluttering up the example with what the value of total IS - just what it is not, which is the thing you''re interested in.> > > Question Two: I actually have a bunch of attributes that need to be > protected. Rather than hand-writing a call to the ''it'' method for each > attribute, could I just loop over an array of attributes that need to > be checked and programatically define the ''it'' calls? > > Pseudo-code: > > describe Order do > [:total, :id, :customer_ip, :status, :error_message, :updated_at, > :created_at, :finalize, :tax, :shipping].each do |attribute| > it "should protect #{attribute} attributes from mass assignment" do > @order = Order.new(attribute => ''hax0rz'') > @order.attribute.should_not == ''hax0rz'' > end > end > end > > What would the actual implementation look like?I think it would look exactly like what you wrote. Have you tried it?
On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote:> On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:[...]> > Question Two: I actually have a bunch of attributes that need to be > > protected. Rather than hand-writing a call to the ''it'' method for each > > attribute, could I just loop over an array of attributes that need to > > be checked and programatically define the ''it'' calls? > > > > Pseudo-code: > > > > describe Order do > > [:total, :id, :customer_ip, :status, :error_message, :updated_at, > > :created_at, :finalize, :tax, :shipping].each do |attribute| > > it "should protect #{attribute} attributes from mass assignment" do > > @order = Order.new(attribute => ''hax0rz'') > > @order.attribute.should_not == ''hax0rz'' > > end > > end > > end > > > > What would the actual implementation look like? > > I think it would look exactly like what you wrote. Have you tried it?I do exactly the same: [:title, :content_type, :basename].each do |attr| it { @asset.should have_present(attr) } end [:title, :basename].each do |attr| it { @asset.should have_unique(attr) } end In this case, I use the self description provided by matchers, but works also with #{} for double quoted strings. -- Luis Lavena Multimedia systems - Leaders are made, they are not born. They are made by hard effort, which is the price which all of us must pay to achieve any goal that is worthwhile. Vince Lombardi
Wow. It does work. I didn''t even bother to try it because I figured that calling ''it'' inside of the ''each'' block would not be the same as calling ''it'' directly inside of the ''describe'' block. I''ve never actually written a method that yields to a block. I''m still trying to fit into my Rubyist pants. So Ruby actually yields down into the ''each'' block from the parent ''describe'' block? On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote:> On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > This is kind of a two part question. > > > > Question One: I want to be sure that an Order model is protecting > > sensitive attributes from mass assignment. > > > > The example looks like this: > > > > describe Order do > > it "should protect total attribute from mass assignment" do > > @order = Order.new(:total => 0.05) > > @order.total.should_not == 0.05 > > end > > end > > > > And the code to implement it: > > > > class Order < ActiveRecord::Base > > attr_protected :total > > end > > > > > > It seems to work, but is there a better way? Not saying that this way > > is bad, just that I''m very green :) > > This seems pretty good to me. You''re not cluttering up the example > with what the value of total IS - just what it is not, which is the > thing you''re interested in. > > > > > > > Question Two: I actually have a bunch of attributes that need to be > > protected. Rather than hand-writing a call to the ''it'' method for each > > attribute, could I just loop over an array of attributes that need to > > be checked and programatically define the ''it'' calls? > > > > Pseudo-code: > > > > describe Order do > > [:total, :id, :customer_ip, :status, :error_message, :updated_at, > > :created_at, :finalize, :tax, :shipping].each do |attribute| > > it "should protect #{attribute} attributes from mass assignment" do > > @order = Order.new(attribute => ''hax0rz'') > > @order.attribute.should_not == ''hax0rz'' > > end > > end > > end > > > > What would the actual implementation look like? > > I think it would look exactly like what you wrote. Have you tried it? > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
Hmmm.... scratch that. I actually had a typo in my code. After
correcting the typo, It looks like the code is trying to literally
call @order.attribute rather than @order.id, @order.total, etc...
Is eval the best option?
eval("@order.#{attribute}.should_not == ''hax0rz''")
On 5/30/07, Jed Hurt <jed.hurt at gmail.com>
wrote:> Wow. It does work. I didn''t even bother to try it because I
figured
> that calling ''it'' inside of the ''each''
block would not be the same as
> calling ''it'' directly inside of the
''describe'' block. I''ve never
> actually written a method that yields to a block. I''m still trying
to
> fit into my Rubyist pants.
>
> So Ruby actually yields down into the ''each'' block from
the parent
> ''describe'' block?
>
> On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > This is kind of a two part question.
> > >
> > > Question One: I want to be sure that an Order model is protecting
> > > sensitive attributes from mass assignment.
> > >
> > > The example looks like this:
> > >
> > > describe Order do
> > > it "should protect total attribute from mass
assignment" do
> > > @order = Order.new(:total => 0.05)
> > > @order.total.should_not == 0.05
> > > end
> > > end
> > >
> > > And the code to implement it:
> > >
> > > class Order < ActiveRecord::Base
> > > attr_protected :total
> > > end
> > >
> > >
> > > It seems to work, but is there a better way? Not saying that this
way
> > > is bad, just that I''m very green :)
> >
> > This seems pretty good to me. You''re not cluttering up the
example
> > with what the value of total IS - just what it is not, which is the
> > thing you''re interested in.
> >
> > >
> > >
> > > Question Two: I actually have a bunch of attributes that need to
be
> > > protected. Rather than hand-writing a call to the
''it'' method for each
> > > attribute, could I just loop over an array of attributes that
need to
> > > be checked and programatically define the ''it''
calls?
> > >
> > > Pseudo-code:
> > >
> > > describe Order do
> > > [:total, :id, :customer_ip, :status, :error_message,
:updated_at,
> > > :created_at, :finalize, :tax, :shipping].each do |attribute|
> > > it "should protect #{attribute} attributes from mass
assignment" do
> > > @order = Order.new(attribute =>
''hax0rz'')
> > > @order.attribute.should_not == ''hax0rz''
> > > end
> > > end
> > > end
> > >
> > > What would the actual implementation look like?
> >
> > I think it would look exactly like what you wrote. Have you tried it?
> > _______________________________________________
> > rspec-users mailing list
> > rspec-users at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/rspec-users
> >
>
On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:> Hmmm.... scratch that. I actually had a typo in my code. After > correcting the typo, It looks like the code is trying to literally > call @order.attribute rather than @order.id, @order.total, etc... > > Is eval the best option? > > eval("@order.#{attribute}.should_not == ''hax0rz''")That, or (I think): (@order.send attribute).should)_not == hax0rz''> > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > Wow. It does work. I didn''t even bother to try it because I figured > > that calling ''it'' inside of the ''each'' block would not be the same as > > calling ''it'' directly inside of the ''describe'' block. I''ve never > > actually written a method that yields to a block. I''m still trying to > > fit into my Rubyist pants. > > > > So Ruby actually yields down into the ''each'' block from the parent > > ''describe'' block? > > > > On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote: > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > > > This is kind of a two part question. > > > > > > > > Question One: I want to be sure that an Order model is protecting > > > > sensitive attributes from mass assignment. > > > > > > > > The example looks like this: > > > > > > > > describe Order do > > > > it "should protect total attribute from mass assignment" do > > > > @order = Order.new(:total => 0.05) > > > > @order.total.should_not == 0.05 > > > > end > > > > end > > > > > > > > And the code to implement it: > > > > > > > > class Order < ActiveRecord::Base > > > > attr_protected :total > > > > end > > > > > > > > > > > > It seems to work, but is there a better way? Not saying that this way > > > > is bad, just that I''m very green :) > > > > > > This seems pretty good to me. You''re not cluttering up the example > > > with what the value of total IS - just what it is not, which is the > > > thing you''re interested in. > > > > > > > > > > > > > > > Question Two: I actually have a bunch of attributes that need to be > > > > protected. Rather than hand-writing a call to the ''it'' method for each > > > > attribute, could I just loop over an array of attributes that need to > > > > be checked and programatically define the ''it'' calls? > > > > > > > > Pseudo-code: > > > > > > > > describe Order do > > > > [:total, :id, :customer_ip, :status, :error_message, :updated_at, > > > > :created_at, :finalize, :tax, :shipping].each do |attribute| > > > > it "should protect #{attribute} attributes from mass assignment" do > > > > @order = Order.new(attribute => ''hax0rz'') > > > > @order.attribute.should_not == ''hax0rz'' > > > > end > > > > end > > > > end > > > > > > > > What would the actual implementation look like? > > > > > > I think it would look exactly like what you wrote. Have you tried it? > > > _______________________________________________ > > > rspec-users mailing list > > > rspec-users at rubyforge.org > > > http://rubyforge.org/mailman/listinfo/rspec-users > > > > > > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote:> On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > Hmmm.... scratch that. I actually had a typo in my code. After > > correcting the typo, It looks like the code is trying to literally > > call @order.attribute rather than @order.id, @order.total, etc... > > > > Is eval the best option? > > > > eval("@order.#{attribute}.should_not == ''hax0rz''") > > That, or (I think): > > (@order.send attribute).should)_not == hax0rz'' >Sorry - typo - this: (@order.send attribute).should_not == hax0rz''> > > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > > Wow. It does work. I didn''t even bother to try it because I figured > > > that calling ''it'' inside of the ''each'' block would not be the same as > > > calling ''it'' directly inside of the ''describe'' block. I''ve never > > > actually written a method that yields to a block. I''m still trying to > > > fit into my Rubyist pants. > > > > > > So Ruby actually yields down into the ''each'' block from the parent > > > ''describe'' block? > > > > > > On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote: > > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > > > > This is kind of a two part question. > > > > > > > > > > Question One: I want to be sure that an Order model is protecting > > > > > sensitive attributes from mass assignment. > > > > > > > > > > The example looks like this: > > > > > > > > > > describe Order do > > > > > it "should protect total attribute from mass assignment" do > > > > > @order = Order.new(:total => 0.05) > > > > > @order.total.should_not == 0.05 > > > > > end > > > > > end > > > > > > > > > > And the code to implement it: > > > > > > > > > > class Order < ActiveRecord::Base > > > > > attr_protected :total > > > > > end > > > > > > > > > > > > > > > It seems to work, but is there a better way? Not saying that this way > > > > > is bad, just that I''m very green :) > > > > > > > > This seems pretty good to me. You''re not cluttering up the example > > > > with what the value of total IS - just what it is not, which is the > > > > thing you''re interested in. > > > > > > > > > > > > > > > > > > > Question Two: I actually have a bunch of attributes that need to be > > > > > protected. Rather than hand-writing a call to the ''it'' method for each > > > > > attribute, could I just loop over an array of attributes that need to > > > > > be checked and programatically define the ''it'' calls? > > > > > > > > > > Pseudo-code: > > > > > > > > > > describe Order do > > > > > [:total, :id, :customer_ip, :status, :error_message, :updated_at, > > > > > :created_at, :finalize, :tax, :shipping].each do |attribute| > > > > > it "should protect #{attribute} attributes from mass assignment" do > > > > > @order = Order.new(attribute => ''hax0rz'') > > > > > @order.attribute.should_not == ''hax0rz'' > > > > > end > > > > > end > > > > > end > > > > > > > > > > What would the actual implementation look like? > > > > > > > > I think it would look exactly like what you wrote. Have you tried it? > > > > _______________________________________________ > > > > rspec-users mailing list > > > > rspec-users at rubyforge.org > > > > http://rubyforge.org/mailman/listinfo/rspec-users > > > > > > > > > _______________________________________________ > > rspec-users mailing list > > rspec-users at rubyforge.org > > http://rubyforge.org/mailman/listinfo/rspec-users > > >
On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote:> On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote: > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > > Hmmm.... scratch that. I actually had a typo in my code. After > > > correcting the typo, It looks like the code is trying to literally > > > call @order.attribute rather than @order.id, @order.total, etc... > > > > > > Is eval the best option? > > > > > > eval("@order.#{attribute}.should_not == ''hax0rz''") > > > > That, or (I think): > > > > (@order.send attribute).should)_not == hax0rz'' > > > > Sorry - typo - this: > > (@order.send attribute).should_not == hax0rz''UGH - one more time: (@order.send attribute).should_not == ''hax0rz''> > > > > > > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > > > Wow. It does work. I didn''t even bother to try it because I figured > > > > that calling ''it'' inside of the ''each'' block would not be the same as > > > > calling ''it'' directly inside of the ''describe'' block. I''ve never > > > > actually written a method that yields to a block. I''m still trying to > > > > fit into my Rubyist pants. > > > > > > > > So Ruby actually yields down into the ''each'' block from the parent > > > > ''describe'' block? > > > > > > > > On 5/30/07, David Chelimsky <dchelimsky at gmail.com> wrote: > > > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote: > > > > > > This is kind of a two part question. > > > > > > > > > > > > Question One: I want to be sure that an Order model is protecting > > > > > > sensitive attributes from mass assignment. > > > > > > > > > > > > The example looks like this: > > > > > > > > > > > > describe Order do > > > > > > it "should protect total attribute from mass assignment" do > > > > > > @order = Order.new(:total => 0.05) > > > > > > @order.total.should_not == 0.05 > > > > > > end > > > > > > end > > > > > > > > > > > > And the code to implement it: > > > > > > > > > > > > class Order < ActiveRecord::Base > > > > > > attr_protected :total > > > > > > end > > > > > > > > > > > > > > > > > > It seems to work, but is there a better way? Not saying that this way > > > > > > is bad, just that I''m very green :) > > > > > > > > > > This seems pretty good to me. You''re not cluttering up the example > > > > > with what the value of total IS - just what it is not, which is the > > > > > thing you''re interested in. > > > > > > > > > > > > > > > > > > > > > > > Question Two: I actually have a bunch of attributes that need to be > > > > > > protected. Rather than hand-writing a call to the ''it'' method for each > > > > > > attribute, could I just loop over an array of attributes that need to > > > > > > be checked and programatically define the ''it'' calls? > > > > > > > > > > > > Pseudo-code: > > > > > > > > > > > > describe Order do > > > > > > [:total, :id, :customer_ip, :status, :error_message, :updated_at, > > > > > > :created_at, :finalize, :tax, :shipping].each do |attribute| > > > > > > it "should protect #{attribute} attributes from mass assignment" do > > > > > > @order = Order.new(attribute => ''hax0rz'') > > > > > > @order.attribute.should_not == ''hax0rz'' > > > > > > end > > > > > > end > > > > > > end > > > > > > > > > > > > What would the actual implementation look like? > > > > > > > > > > I think it would look exactly like what you wrote. Have you tried it? > > > > > _______________________________________________ > > > > > rspec-users mailing list > > > > > rspec-users at rubyforge.org > > > > > http://rubyforge.org/mailman/listinfo/rspec-users > > > > > > > > > > > > _______________________________________________ > > > rspec-users mailing list > > > rspec-users at rubyforge.org > > > http://rubyforge.org/mailman/listinfo/rspec-users > > > > > >
Great. I like the ''send'' syntax; its much cleaner than eval.
Here''s
the final example for those following along at home:
describe Order do
[:id, :customer_ip, :status, :error_message, :updated_at,
:created_at, :finalize, :tax, :shipping].each do |attribute|
it "should protect ''#{attribute}'' attribute from mass
assignment" do
@order = Order.new(attribute => ''hax0rz'')
@order.send(attribute).should_not == ''hax0rz''
end
end
end
And the implementation:
class Order < ActiveRecord::Base
attr_protected :id, :customer_ip, :status, :error_message,
:updated_at, :created_at, :finalize, :tax, :shipping
end
On 5/30/07, David Chelimsky <dchelimsky at gmail.com>
wrote:> On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> > On 5/31/07, David Chelimsky <dchelimsky at gmail.com> wrote:
> > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > > Hmmm.... scratch that. I actually had a typo in my code.
After
> > > > correcting the typo, It looks like the code is trying to
literally
> > > > call @order.attribute rather than @order.id, @order.total,
etc...
> > > >
> > > > Is eval the best option?
> > > >
> > > > eval("@order.#{attribute}.should_not ==
''hax0rz''")
> > >
> > > That, or (I think):
> > >
> > > (@order.send attribute).should)_not == hax0rz''
> > >
> >
> > Sorry - typo - this:
> >
> > (@order.send attribute).should_not == hax0rz''
>
> UGH - one more time:
>
> (@order.send attribute).should_not == ''hax0rz''
>
>
> >
> > >
> > > >
> > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com> wrote:
> > > > > Wow. It does work. I didn''t even bother to try
it because I figured
> > > > > that calling ''it'' inside of the
''each'' block would not be the same as
> > > > > calling ''it'' directly inside of the
''describe'' block. I''ve never
> > > > > actually written a method that yields to a block.
I''m still trying to
> > > > > fit into my Rubyist pants.
> > > > >
> > > > > So Ruby actually yields down into the
''each'' block from the parent
> > > > > ''describe'' block?
> > > > >
> > > > > On 5/30/07, David Chelimsky <dchelimsky at
gmail.com> wrote:
> > > > > > On 5/30/07, Jed Hurt <jed.hurt at gmail.com>
wrote:
> > > > > > > This is kind of a two part question.
> > > > > > >
> > > > > > > Question One: I want to be sure that an Order
model is protecting
> > > > > > > sensitive attributes from mass assignment.
> > > > > > >
> > > > > > > The example looks like this:
> > > > > > >
> > > > > > > describe Order do
> > > > > > > it "should protect total attribute
from mass assignment" do
> > > > > > > @order = Order.new(:total => 0.05)
> > > > > > > @order.total.should_not == 0.05
> > > > > > > end
> > > > > > > end
> > > > > > >
> > > > > > > And the code to implement it:
> > > > > > >
> > > > > > > class Order < ActiveRecord::Base
> > > > > > > attr_protected :total
> > > > > > > end
> > > > > > >
> > > > > > >
> > > > > > > It seems to work, but is there a better way?
Not saying that this way
> > > > > > > is bad, just that I''m very green :)
> > > > > >
> > > > > > This seems pretty good to me. You''re not
cluttering up the example
> > > > > > with what the value of total IS - just what it is
not, which is the
> > > > > > thing you''re interested in.
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Question Two: I actually have a bunch of
attributes that need to be
> > > > > > > protected. Rather than hand-writing a call to
the ''it'' method for each
> > > > > > > attribute, could I just loop over an array of
attributes that need to
> > > > > > > be checked and programatically define the
''it'' calls?
> > > > > > >
> > > > > > > Pseudo-code:
> > > > > > >
> > > > > > > describe Order do
> > > > > > > [:total, :id, :customer_ip, :status,
:error_message, :updated_at,
> > > > > > > :created_at, :finalize, :tax, :shipping].each
do |attribute|
> > > > > > > it "should protect #{attribute}
attributes from mass assignment" do
> > > > > > > @order = Order.new(attribute =>
''hax0rz'')
> > > > > > > @order.attribute.should_not ==
''hax0rz''
> > > > > > > end
> > > > > > > end
> > > > > > > end
> > > > > > >
> > > > > > > What would the actual implementation look
like?
> > > > > >
> > > > > > I think it would look exactly like what you wrote.
Have you tried it?
> > > > > > _______________________________________________
> > > > > > rspec-users mailing list
> > > > > > rspec-users at rubyforge.org
> > > > > > http://rubyforge.org/mailman/listinfo/rspec-users
> > > > > >
> > > > >
> > > > _______________________________________________
> > > > rspec-users mailing list
> > > > rspec-users at rubyforge.org
> > > > http://rubyforge.org/mailman/listinfo/rspec-users
> > > >
> > >
> >
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>
On 31 May 2007, at 16:45, Jed Hurt wrote:> Great. I like the ''send'' syntax; its much cleaner than eval. > @order.send(attribute).should_not == ''hax0rz''Not to be pedantic, but I''d prefer @order[attribute].should_not == ''hax0rz'' which of course does the same thing, but is a little bit more... semantically pleasing? Cheers, -Tom