rspec users - Mar 2008 - [HELP]No :secret given to the #protect_from_forgery call

I am starting to BDD. When specing the controller I want to test for
object creation:

  it "deberia crear una nueva persona en post create" do
    Usuario.should_receive(:create).with({:nombre => "camilo",
:clave
=> "secreta", :tipo =>
"administrador"}).and_return(@usuario)

    post ''create'', {:usuario => {:nombre =>
"camilo", :clave =>
"secreta", :tipo => "administrador"}}
  end

But when I add this spec, I start getting this:
1)
ActionController::InvalidAuthenticityToken in ''UsuarioController
deberia crear una nueva persona en post create''
No :secret given to the #protect_from_forgery call.  Set that or use a
session store capable of generating its own keys (Cookie Session
Store).
./spec/controllers/usuario_controller_spec.rb:30:
script/spec:4:

This is the only failure. Line 30 is the post "create".

I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
vendor/plugins/rspec/CHANGES).


I searched google for solutions, found this:

http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html

then I added
@controller.class.protect_from_forgery :secret => "secretkey"
in the before(:each) method. I put the same secret key I found in
environment.rb. But now it gives me:
ActionController::InvalidAuthenticityToken

I am lost. Why this happens? should not work just fine from the rails
default configuration?.

I have not changed anything in the environment.rb nor application.rb.
This is just a new project to learn BDD and RoR. Thanks for any clue
to get this to work.

On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:
> I am starting to BDD. When specing the controller I want to test for
> object creation:
>
>   it "deberia crear una nueva persona en post create" do
>     Usuario.should_receive(:create).with({:nombre => "camilo",
:clave
> => "secreta", :tipo =>
"administrador"}).and_return(@usuario)
>
>     post ''create'', {:usuario => {:nombre =>
"camilo", :clave =>
> "secreta", :tipo => "administrador"}}
>   end
>
> But when I add this spec, I start getting this:
> 1)
> ActionController::InvalidAuthenticityToken in ''UsuarioController
> deberia crear una nueva persona en post create''
> No :secret given to the #protect_from_forgery call.  Set that or use a
> session store capable of generating its own keys (Cookie Session
> Store).
> ./spec/controllers/usuario_controller_spec.rb:30:
> script/spec:4:
>
> This is the only failure. Line 30 is the post "create".
>
> I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
> vendor/plugins/rspec/CHANGES).
>
>
> I searched google for solutions, found this:
>
> http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html
>
> then I added
> @controller.class.protect_from_forgery :secret => "secretkey"
> in the before(:each) method. I put the same secret key I found in
> environment.rb. But now it gives me:
> ActionController::InvalidAuthenticityToken
>
> I am lost. Why this happens? should not work just fine from the rails
> default configuration?.
>
> I have not changed anything in the environment.rb nor application.rb.
> This is just a new project to learn BDD and RoR. Thanks for any clue
> to get this to work.
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
I haven''t tried any of this, but here''s my guess:

One way to get this to work is to stub out protect_from_forgery:

controller.stub!(protect_from_forgery).and_return "foo"

The better question is: why would you intentionally remove a security  
feature?

Scott

I presume the feature is well tested in rails and disable it in the
test environment (which is done by default, I think).

# in config/environments/test.rb
# Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection    = false

-Mike

On Sat, Mar 15, 2008 at 2:26 PM, Scott Taylor
<mailing_lists at railsnewbie.com> wrote:
>
>
>  On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:
>
>  > I am starting to BDD. When specing the controller I want to test for
>  > object creation:
>  >
>  >   it "deberia crear una nueva persona en post create" do
>  >     Usuario.should_receive(:create).with({:nombre =>
"camilo", :clave
>  > => "secreta", :tipo =>
"administrador"}).and_return(@usuario)
>  >
>  >     post ''create'', {:usuario => {:nombre =>
"camilo", :clave =>
>  > "secreta", :tipo => "administrador"}}
>  >   end
>  >
>  > But when I add this spec, I start getting this:
>  > 1)
>  > ActionController::InvalidAuthenticityToken in
''UsuarioController
>  > deberia crear una nueva persona en post create''
>  > No :secret given to the #protect_from_forgery call.  Set that or use
a
>  > session store capable of generating its own keys (Cookie Session
>  > Store).
>  > ./spec/controllers/usuario_controller_spec.rb:30:
>  > script/spec:4:
>  >
>  > This is the only failure. Line 30 is the post "create".
>  >
>  > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
>  > vendor/plugins/rspec/CHANGES).
>  >
>  >
>  > I searched google for solutions, found this:
>  >
>  > http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html
>  >
>  > then I added
>  > @controller.class.protect_from_forgery :secret =>
"secretkey"
>  > in the before(:each) method. I put the same secret key I found in
>  > environment.rb. But now it gives me:
>  > ActionController::InvalidAuthenticityToken
>  >
>  > I am lost. Why this happens? should not work just fine from the rails
>  > default configuration?.
>  >
>  > I have not changed anything in the environment.rb nor application.rb.
>  > This is just a new project to learn BDD and RoR. Thanks for any clue
>  > to get this to work.
>  > _______________________________________________
>  > rspec-users mailing list
>  > rspec-users at rubyforge.org
>  > http://rubyforge.org/mailman/listinfo/rspec-users
>
>  I haven''t tried any of this, but here''s my guess:
>
>  One way to get this to work is to stub out protect_from_forgery:
>
>  controller.stub!(protect_from_forgery).and_return "foo"
>
>  The better question is: why would you intentionally remove a security
>  feature?
>
>  Scott
>
>
>
>
>
>
>  _______________________________________________
>  rspec-users mailing list
>  rspec-users at rubyforge.org
>  http://rubyforge.org/mailman/listinfo/rspec-users
>

Thanks Mike, your comment lead me to the answer:

I was using the development environment to make the tests. I didn''t
realized there were some difference between the environments (not
guessed it).

When I started the project, I edited spec/spec_helper.rb (and also
stories/helper.rb) and changed ENV["RAILS_ENV"] to
"development",
because I had only one DB user. Of course I can create as many DB
users as I need, this is a development box...

Now using the (right) ENV["RAILS_ENV"] = "test" and problem
is solved.

Thanks to Scott Taylor for the other comment.

2008/3/16, Mike Vincent <mike at vincent.ws>:
> I presume the feature is well tested in rails and disable it in the
>  test environment (which is done by default, I think).
>
>  # in config/environments/test.rb
>  # Disable request forgery protection in test environment
>  config.action_controller.allow_forgery_protection    = false
>
>
>  -Mike
>
>
>  On Sat, Mar 15, 2008 at 2:26 PM, Scott Taylor
>  <mailing_lists at railsnewbie.com> wrote:
>  >
>  >
>  >  On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:
>  >
>  >  > I am starting to BDD. When specing the controller I want to
test for
>  >  > object creation:
>  >  >
>  >  >   it "deberia crear una nueva persona en post create"
do
>  >  >     Usuario.should_receive(:create).with({:nombre =>
"camilo", :clave
>  >  > => "secreta", :tipo =>
"administrador"}).and_return(@usuario)
>  >  >
>  >  >     post ''create'', {:usuario => {:nombre
=> "camilo", :clave =>
>  >  > "secreta", :tipo => "administrador"}}
>  >  >   end
>  >  >
>  >  > But when I add this spec, I start getting this:
>  >  > 1)
>  >  > ActionController::InvalidAuthenticityToken in
''UsuarioController
>  >  > deberia crear una nueva persona en post create''
>  >  > No :secret given to the #protect_from_forgery call.  Set that
or use a
>  >  > session store capable of generating its own keys (Cookie
Session
>  >  > Store).
>  >  > ./spec/controllers/usuario_controller_spec.rb:30:
>  >  > script/spec:4:
>  >  >
>  >  > This is the only failure. Line 30 is the post
"create".
>  >  >
>  >  > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
>  >  > vendor/plugins/rspec/CHANGES).
>  >  >
>  >  >
>  >  > I searched google for solutions, found this:
>  >  >
>  >  >
http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html
>  >  >
>  >  > then I added
>  >  > @controller.class.protect_from_forgery :secret =>
"secretkey"
>  >  > in the before(:each) method. I put the same secret key I found
in
>  >  > environment.rb. But now it gives me:
>  >  > ActionController::InvalidAuthenticityToken
>  >  >
>  >  > I am lost. Why this happens? should not work just fine from the
rails
>  >  > default configuration?.
>  >  >
>  >  > I have not changed anything in the environment.rb nor
application.rb.
>  >  > This is just a new project to learn BDD and RoR. Thanks for any
clue
>  >  > to get this to work.
>  >  > _______________________________________________
>  >  > rspec-users mailing list
>  >  > rspec-users at rubyforge.org
>  >  > http://rubyforge.org/mailman/listinfo/rspec-users
>  >
>  >  I haven''t tried any of this, but here''s my guess:
>  >
>  >  One way to get this to work is to stub out protect_from_forgery:
>  >
>  >  controller.stub!(protect_from_forgery).and_return "foo"
>  >
>  >  The better question is: why would you intentionally remove a
security
>  >  feature?
>  >
>  >  Scott
>  >
>  >
>  >
>  >
>  >
>  >
>  >  _______________________________________________
>  >  rspec-users mailing list
>  >  rspec-users at rubyforge.org
>  >  http://rubyforge.org/mailman/listinfo/rspec-users
>  >
>  _______________________________________________
>  rspec-users mailing list
>  rspec-users at rubyforge.org
>  http://rubyforge.org/mailman/listinfo/rspec-users
>