Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2026-01-30 20:55:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Applied Luke's session patch (ticket 244) in which the user.id only is stored in the session object, rather than the whole user object. This improves security and also makes the session much smaller and less fragile.

Browse source 
I made a small change to the signup method, because the previous method had broken at some point, and was no longer preventing non-admin users from signing others up. I suspect that this had to do with the cross-database differences in the way that booleans are handled, so I changed the method to use ActiveRecord to find the logged in user (thus automatically translating appropriately between 1/0 and 't'/'f').

The tests concerning users and login also broke with the changes in this patch, so I fixed those, and added some of the new Integration tests.

                                                   


git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@215 a4c988fc-2ded-0310-b66e-134b36920a42
This commit is contained in:
bsag 2006-04-08 17:46:41 +00:00
parent 654bec2239
commit 49cde85039
17 changed files with 194 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tracks/app/controllers/application.rb
View file

@ -2,10 +2,10 @@
# Likewise will all the methods added be available for all controllers.
require_dependency "login_system"
require_dependency "redcloth"
require "redcloth"
require 'date'
require 'Time'
require 'time'
class ApplicationController < ActionController::Base
@ -35,20 +35,20 @@ class ApplicationController < ActionController::Base
def set_session_expiration
# http://wiki.rubyonrails.com/rails/show/HowtoChangeSessionOptions
unless @session == nil
return if @controller_name == 'feed' or @session['noexpiry'] == "on"
unless session == nil
return if @controller_name == 'feed' or session['noexpiry'] == "on"
# If the method is called by the feed controller (which we don't have under session control)
# or if we checked the box to keep logged in on login
# don't set the session expiry time.
if @session
if session
# Get expiry time (allow ten seconds window for the case where we have none)
expiry_time = @session['expiry_time'] || Time.now + 10
expiry_time = session['expiry_time'] || Time.now + 10
if expiry_time < Time.now
# Too late, matey... bang goes your session!
reset_session
else
# Okay, you get another hour
@session['expiry_time'] = Time.now + (60*60)
session['expiry_time'] = Time.now + (60*60)
end
end
end
@ -57,7 +57,7 @@ class ApplicationController < ActionController::Base
private
def get_current_user
@user = @session['user']
@user = User.find(session['user_id']) if session['user_id']
end
end

13
tracks/app/controllers/context_controller.rb
View file

@ -31,7 +31,7 @@ class ContextController < ApplicationController
# Creates a new context via Ajax helpers
#
def new_context
context = @session['user'].contexts.build
context = @user.contexts.build
context.attributes = @params['context']
context.name = deurlize(context.name)
@ -177,7 +177,6 @@ class ContextController < ApplicationController
protected
def check_user_set_context
@user = @session['user']
if @params["name"]
@context = Context.find_by_name_and_user_id(deurlize(@params["name"]), @user.id)
elsif @params['id']
@ -189,35 +188,33 @@ class ContextController < ApplicationController
return @context
else
@context = nil # Should be nil anyway.
flash["warning"] = "Item and session user mis-match: #{@context.user_id} and #{@session['user'].id}!"
flash["warning"] = "Item and session user mis-match: #{@context.user_id} and #{@user.id}!"
render_text ""
end
end
def check_user_matches_context_user(id)
@user = @session['user']
@context = Context.find_by_id_and_user_id(id, @user.id)
if @user == @context.user
return @context
else
@context = nil
flash["warning"] = "Project and session user mis-match: #{@context.user_id} and #{@session['user'].id}!"
flash["warning"] = "Project and session user mis-match: #{@context.user_id} and #{@user.id}!"
render_text ""
end
end
def check_user_return_item
item = Todo.find( @params['id'] )
if @session['user'] == item.user
if @user == item.user
return item
else
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@session['user'].name}!"
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@user.name}!"
render_text ""
end
end
def init
@user = @session['user']
@projects = @user.projects.collect { |x| x.done? ? nil:x }.compact
@contexts = @user.contexts
@todos = @user.todos

34
tracks/app/controllers/login_controller.rb
View file

@ -7,11 +7,12 @@ class LoginController < ApplicationController
@page_title = "TRACKS::Login"
case @request.method
when :post
if @session['user'] = User.authenticate(@params['user_login'], @params['user_password'])
if @user = User.authenticate(@params['user_login'], @params['user_password'])
session['user_id'] = @user.id
# If checkbox on login page checked, we don't expire the session after 1 hour
# of inactivity
@session['noexpiry']= @params['user_noexpiry']
if @session['noexpiry'] == "on"
session['noexpiry']= @params['user_noexpiry']
if session['noexpiry'] == "on"
msg = "will not expire."
else
msg = "will expire after 1 hour of inactivity."
@ -19,14 +20,16 @@ class LoginController < ApplicationController
flash['notice'] = "Login successful: session #{msg}"
redirect_back_or_default :controller => "todo", :action => "list"
else
@login = @params['user_login']
@login = @params['user_login']
flash['warning'] = "Login unsuccessful"
end
end
end
def signup
unless (User.find_all.empty? || ( @session['user'] && @session['user']['is_admin'] ) )
admin_logged_in = User.find(:all,
:conditions => [ "id = ? and is_admin = ?", @user.id, true ])
unless (User.find_all.empty? || !admin_logged_in.empty? )
@page_title = "No signups"
@admin_email = User.find(1).preferences["admin_email"]
render :action => "nosignup"
@ -35,9 +38,9 @@ class LoginController < ApplicationController
@signupname = User.find_all.empty? ? "as the admin":"a new"
@page_title = "Sign up #{@signupname} user"
if @session['new_user']
@user = @session['new_user']
@session['new_user'] = nil
if session['new_user']
@user = session['new_user']
session['new_user'] = nil
else
@user = User.new
end
@ -46,14 +49,13 @@ class LoginController < ApplicationController
def create
user = User.new(@params['user'])
unless user.valid?
@session['new_user'] = user
session['new_user'] = user
redirect_to :controller => 'login', :action => 'signup'
return
end
user.is_admin = true if User.find_all.empty?
if user.save
#@session['user'] = User.authenticate(user.login, @params['user']['password'])
@user = User.authenticate(user.login, @params['user']['password'])
@user.preferences = { "date_format" => "%d/%m/%Y", "week_starts" => "1", "no_completed" => "5", "staleness_starts" => "7", "due_style" => "1", "admin_email" => "butshesagirl@rousette.org.uk"}
@user.save
@ -63,7 +65,7 @@ class LoginController < ApplicationController
end
def delete
if @params['id'] and ( @params['id'] = @session['user'].id or @session['user'].is_admin )
if @params['id'] and ( @params['id'] = @user.id or @user.is_admin )
@user = User.find(@params['id'])
# TODO: Maybe it would be better to mark deleted. That way user deletes can be reversed.
@user.destroy
@ -72,7 +74,7 @@ class LoginController < ApplicationController
end
def logout
@session['user'] = nil
session['user_id'] = nil
reset_session
flash['notice'] = "You have been logged out of Tracks."
redirect_to :controller => "login", :action => "login"
@ -81,15 +83,15 @@ class LoginController < ApplicationController
def check_expiry
# Gets called by periodically_call_remote to check whether
# the session has timed out yet
unless @session == nil
return if @controller_name == 'feed' or @session['noexpiry'] == "on"
unless session == nil
return if @controller_name == 'feed' or session['noexpiry'] == "on"
# If the method is called by the feed controller
# (which we don't have under session control)
# or if we checked the box to keep logged in on login
# then the session is not going to get called
if @session
if session
# Get expiry time (allow ten seconds window for the case where we have none)
expiry_time = @session['expiry_time'] || Time.now + 10
expiry_time = session['expiry_time'] || Time.now + 10
@time_left = expiry_time - Time.now
if @time_left < (10*60) # Session will time out before the next check
@msg = "Session has timed out. Please "

4
tracks/app/controllers/note_controller.rb
View file

@ -6,7 +6,6 @@ class NoteController < ApplicationController
layout "standard"
def index
@user = @session['user']
@all_notes = @user.notes
@page_title = "TRACKS::All notes"
end
@ -19,7 +18,6 @@ class NoteController < ApplicationController
# Add a new note to this project
#
def add
@user = @session['user']
note = @user.notes.build
note.attributes = @params["new_note"]
@ -55,7 +53,7 @@ class NoteController < ApplicationController
def check_user_return_note
note = Note.find_by_id( @params['id'] )
if @session['user'] == note.user
if @user == note.user
return note
else
render_text ""

13
tracks/app/controllers/project_controller.rb
View file

@ -54,7 +54,7 @@ class ProjectController < ApplicationController
end
def new_project
project = @session['user'].projects.build
project = @user.projects.build
project.attributes = @params['project']
project.name = deurlize(project.name)
@ -212,7 +212,6 @@ class ProjectController < ApplicationController
protected
def check_user_set_project
@user = @session['user']
if @params["name"]
@project = Project.find_by_name_and_user_id(deurlize(@params["name"]), @user.id)
elsif @params['id']
@ -224,35 +223,33 @@ class ProjectController < ApplicationController
return @project
else
@project = nil # Should be nil anyway
flash["warning"] = "Project and session user mis-match: #{@project.user_id} and #{@session['user'].id}!"
flash["warning"] = "Project and session user mis-match: #{@project.user_id} and #{@user.id}!"
render_text ""
end
end
def check_user_matches_project_user(id)
@user = @session['user']
@project = Project.find_by_id_and_user_id(id, @user.id)
if @user == @project.user
return @project
else
@project = nil
flash["warning"] = "Project and session user mis-match: #{@project.user_id} and #{@session['user'].id}!"
flash["warning"] = "Project and session user mis-match: #{@project.user_id} and #{@user.id}!"
render_text ""
end
end
def check_user_return_item
item = Todo.find( @params['id'] )
if @session['user'] == item.user
if @user == item.user
return item
else
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@session['user'].name}!"
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@user.name}!"
render_text ""
end
end
def init
@user = @session['user']
@projects = @user.projects
@contexts = @user.contexts
@todos = @user.todos

5
tracks/app/controllers/todo_controller.rb
View file

@ -197,16 +197,15 @@ class TodoController < ApplicationController
def check_user_return_item
item = Todo.find( @params['id'] )
if @session['user'] == item.user
if @user == item.user
return item
else
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@session['user'].name}!"
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@user.name}!"
render_text ""
end
end
def init
@user = @session['user']
@projects = @user.projects
@contexts = @user.contexts
@todos = @user.todos

1
tracks/app/controllers/user_controller.rb
View file

@ -39,7 +39,6 @@ class UserController < ApplicationController
def change_password
@page_title = "TRACKS::Change password"
@user = @session['user']
end
def update_password

4
tracks/app/helpers/todo_helper.rb
View file

@ -112,13 +112,13 @@ module TodoHelper
def rss_feed_link(options = {})
image_tag = image_tag("feed-icon", :size => "16X16", :border => 0, :class => "rss-icon")
linkoptions = {:controller => 'feed', :action => 'rss', :name => "#{@session['user']['login']}", :token => "#{@session['user']['word']}"}
linkoptions = {:controller => 'feed', :action => 'rss', :name => "#{@user.login}", :token => "#{@user.word}"}
linkoptions.merge!(options)
link_to(image_tag, linkoptions, :title => "RSS feed")
end
def text_feed_link(options = {})
linkoptions = {:controller => 'feed', :action => 'text', :name => "#{@session['user']['login']}", :token => "#{@session['user']['word']}"}
linkoptions = {:controller => 'feed', :action => 'text', :name => "#{@user.login}", :token => "#{@user.word}"}
linkoptions.merge!(options)
link_to('<span class="feed">TXT</span>', linkoptions, :title => "Plain text feed" )
end

6
tracks/app/views/layouts/standard.rhtml
View file

@ -12,7 +12,7 @@
<%= javascript_include_tag "todo-items" %>
<link rel="shortcut icon" href="<%= url_for(:controller => 'favicon.ico') %>" />
<%= auto_discovery_link_tag(:rss,{:controller => "feed", :action => "na_feed", :name => "#{@session['user']['login']}", :token => "#{@session['user']['word']}"}, {:title => "RSS feed of next actions"}) %>
<%= auto_discovery_link_tag(:rss,{:controller => "feed", :action => "na_feed", :name => "#{@user.login}", :token => "#{@user.word}"}, {:title => "RSS feed of next actions"}) %>
<title><%= @page_title %></title>
@ -37,11 +37,11 @@
<li><a href="javascript:toggleAll('notes','block')" accesskey="S" title="Show all notes">Show</a></li>
<li><a href="javascript:toggleAll('notes','none')" accesskey="H" title="Hide all notes">Hide</a></li>
<li><%= link_to(image_tag("feed-icon", :size => "16X16", :border => 0), {:controller => "todo", :action => "feeds"}, :title => "See a list of available feeds" ) %></li>
<li><%= link_to "Logout (#{@session['user']['login']}) &#187;", :controller => "login", :action=>"logout"%></li>
<li><%= link_to "Logout (#{@user.login}) &#187;", :controller => "login", :action=>"logout"%></li>
</ul>
</div>
<div id="info"></div>
<% unless @controller_name == 'feed' or @session['noexpiry'] == "on" -%>
<% unless @controller_name == 'feed' or session['noexpiry'] == "on" -%>
<%= periodically_call_remote( :url => {:controller => "login", :action => "check_expiry"},
:frequency => (5*60)) %>
<% end -%>

32
tracks/db/schema.rb
View file

@ -5,26 +5,26 @@
ActiveRecord::Schema.define(:version => 7) do
create_table "contexts", :force => true do |t|
t.column "name", :string, :null => false
t.column "position", :integer, :null => false
t.column "hide", :boolean, :default => false
t.column "name", :string, :default => "", :null => false
t.column "hide", :integer, :limit => 4, :default => 0, :null => false
t.column "position", :integer, :default => 0, :null => false
t.column "user_id", :integer, :default => 1
end
create_table "notes", :force => true do |t|
t.column "user_id", :integer, :null => false
t.column "project_id", :integer, :null => false
t.column "user_id", :integer, :default => 0, :null => false
t.column "project_id", :integer, :default => 0, :null => false
t.column "body", :text
t.column "created_at", :datetime
t.column "updated_at", :datetime
end
create_table "projects", :force => true do |t|
t.column "name", :string, :null => false
t.column "position", :integer, :null => false
t.column "done", :boolean, :default => false
t.column "name", :string, :default => "", :null => false
t.column "position", :integer, :default => 0, :null => false
t.column "done", :integer, :limit => 4, :default => 0, :null => false
t.column "user_id", :integer, :default => 1
t.column "description", :text, :default => ""
t.column "description", :text
end
create_table "sessions", :force => true do |t|
@ -36,22 +36,22 @@ ActiveRecord::Schema.define(:version => 7) do
add_index "sessions", ["session_id"], :name => "sessions_session_id_index"
create_table "todos", :force => true do |t|
t.column "context_id", :integer, :null => false
t.column "project_id", :integer
t.column "description", :string, :null => false
t.column "context_id", :integer, :default => 0, :null => false
t.column "description", :string, :limit => 100, :default => "", :null => false
t.column "notes", :text
t.column "done", :boolean, :default => false, :null => false
t.column "done", :integer, :limit => 4, :default => 0, :null => false
t.column "created_at", :datetime
t.column "due", :date
t.column "completed", :datetime
t.column "project_id", :integer
t.column "user_id", :integer, :default => 1
end
create_table "users", :force => true do |t|
t.column "login", :string, :limit => 80, :null => false
t.column "password", :string, :limit => 40, :null => false
t.column "login", :string, :limit => 80
t.column "password", :string, :limit => 40
t.column "word", :string
t.column "is_admin", :boolean, :default => false, :null => false
t.column "is_admin", :integer, :limit => 4, :default => 0, :null => false
t.column "preferences", :text
end

2
tracks/lib/login_system.rb
View file

@ -46,7 +46,7 @@ module LoginSystem
return true
end
if @session['user'] and authorize?(@session['user'])
if @session['user_id'] and authorize?(User.find(@session['user_id']))
return true
end

33
tracks/test/functional/login_controller_test.rb
View file

@ -23,7 +23,6 @@ class LoginControllerTest < Test::Unit::TestCase
def test_invalid_login
post :login, {:user_login => 'cracker', :user_password => 'secret', :user_noexpiry => 'on'}
assert_response :success
assert_session_has_no :user
assert_template "login"
end
@ -31,9 +30,9 @@ class LoginControllerTest < Test::Unit::TestCase
def test_login_with_valid_admin_user
@request.session['return-to'] = "/bogus/location"
user = login('admin', 'abracadabra', 'on')
assert_equal user, @response.session['user']
assert_equal user.id, @response.session['user_id']
assert_equal user.login, "admin"
assert_equal user.is_admin, true
assert_equal user.is_admin, 1
assert_equal "Login successful: session will not expire.", flash['notice']
assert_redirect_url "http://#{@request.host}/bogus/location"
end
@ -41,9 +40,9 @@ class LoginControllerTest < Test::Unit::TestCase
def test_login_with_valid_standard_user
user = login('jane','sesame', 'off')
assert_equal user, @response.session['user']
assert_equal user.id, @response.session['user_id']
assert_equal user.login, "jane"
assert_equal user.is_admin, false
assert_equal user.is_admin, 0
assert_equal "Login successful: session will expire after 1 hour of inactivity.", flash['notice']
assert_redirected_to :controller => 'todo', :action => 'list'
end
@ -51,7 +50,7 @@ class LoginControllerTest < Test::Unit::TestCase
def test_logout
user = login('admin','abracadabra', 'on')
get :logout
assert_nil(session['user'])
assert_nil(session['user_id'])
assert_redirected_to :controller => 'login', :action => 'login'
end
@ -80,20 +79,19 @@ class LoginControllerTest < Test::Unit::TestCase
#
def test_create
admin = login('admin', 'abracadabra', 'on')
assert_equal admin.is_admin, true
assert_equal admin, @response.session['user']
assert_equal admin.is_admin, 1
newbie = create('newbie', 'newbiepass')
assert_equal "Signup successful for user newbie.", flash['notice']
assert_redirected_to :controller => 'todo', :action => 'list'
assert_valid newbie
get :logout # logout the admin user
assert_equal newbie.login, "newbie"
assert_equal newbie.is_admin, false
assert_equal newbie.is_admin, 0
assert_not_nil newbie.preferences # have user preferences been created?
user = login('newbie', 'newbiepass', 'on') # log in the new user
assert_redirected_to :controller => 'todo', :action => 'list'
assert_equal 'newbie', user.login
assert_equal user.is_admin, false
assert_equal user.is_admin, 0
num_users = User.find(:all)
assert_equal num_users.length, 3
end
@ -102,8 +100,7 @@ class LoginControllerTest < Test::Unit::TestCase
#
def test_create_by_non_admin
non_admin = login('jane', 'sesame', 'on')
assert_equal non_admin.is_admin, false
assert_equal non_admin, @response.session['user']
assert_equal non_admin.is_admin, 0
post :signup, :user => {:login => 'newbie2', :password => 'newbiepass2', :password_confirmation => 'newbiepass2'}
assert_template 'login/nosignup'
@ -117,8 +114,8 @@ class LoginControllerTest < Test::Unit::TestCase
def test_create_with_invalid_password
admin = login('admin', 'abracadabra', 'on')
assert_equal admin.is_admin, true
assert_equal admin, @response.session['user']
assert_equal admin.is_admin, 1
assert_equal admin.id, @response.session['user_id']
post :create, :user => {:login => 'newbie', :password => '', :password_confirmation => ''}
num_users = User.find(:all)
assert_equal num_users.length, 2
@ -127,8 +124,8 @@ class LoginControllerTest < Test::Unit::TestCase
def test_create_with_invalid_user
admin = login('admin', 'abracadabra', 'on')
assert_equal admin.is_admin, true
assert_equal admin, @response.session['user']
assert_equal admin.is_admin, 1
assert_equal admin.id, @response.session['user_id']
post :create, :user => {:login => 'n', :password => 'newbiepass', :password_confirmation => 'newbiepass'}
num_users = User.find(:all)
assert_equal num_users.length, 2
@ -139,8 +136,8 @@ class LoginControllerTest < Test::Unit::TestCase
#
def test_validate_uniqueness_of_login
admin = login('admin', 'abracadabra', 'on')
assert_equal admin.is_admin, true
assert_equal admin, @response.session['user']
assert_equal admin.is_admin, 1
assert_equal admin.id, @response.session['user_id']
post :create, :user => {:login => 'jane', :password => 'newbiepass', :password_confirmation => 'newbiepass'}
num_users = User.find(:all)
assert_equal num_users.length, 2

50
tracks/test/functional/user_controller_test.rb
View file

@ -11,7 +11,6 @@ class UserControllerTest < Test::Unit::TestCase
def setup
assert_equal "test", ENV['RAILS_ENV']
assert_equal "change-me", SALT
@admin_user = User.find(1)
@controller = UserController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
@ -22,7 +21,7 @@ class UserControllerTest < Test::Unit::TestCase
def test_index
get :index # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
get :index
assert_success
end
@ -32,7 +31,7 @@ class UserControllerTest < Test::Unit::TestCase
def test_admin
get :admin # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
get :admin
assert_success
end
@ -40,7 +39,7 @@ class UserControllerTest < Test::Unit::TestCase
def test_preferences
get :preferences # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
get :preferences
assert_success
assert_equal assigns['page_title'], "TRACKS::Preferences"
@ -51,7 +50,7 @@ class UserControllerTest < Test::Unit::TestCase
def test_edit_preferences
get :edit_preferences # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
get :edit_preferences
assert_success
assert_equal assigns['page_title'], "TRACKS::Edit Preferences"
@ -64,53 +63,48 @@ class UserControllerTest < Test::Unit::TestCase
# FIXME seems to be difficult to test serialization of preferences using YAML
#
def test_update_preferences
@request.session['user'] = @admin_user # log in the admin user
@admin_user.preferences = post :update_preferences, :prefs => { :date_format => "%m-%d-%Y", :week_starts => "0", :no_completed => "10", :staleness_starts => "14", :due_style => "1", :admin_email => "my.email@domain.com" }
@prefs = @admin_user.preferences
@request.session['user_id'] = users(:admin_user).id # log in the admin user
users(:admin_user).preferences = post :update_preferences, :prefs => { :date_format => "%m-%d-%Y", :week_starts => "0", :no_completed => "10", :staleness_starts => "14", :due_style => "1", :admin_email => "my.email@domain.com" }
@prefs = users(:admin_user).preferences
assert_not_nil @prefs
assert_redirected_to :action => 'preferences'
end
def test_change_password
get :change_password # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
get :change_password
assert_success
assert_equal assigns['page_title'], "TRACKS::Change password"
assert_not_nil assigns['user']
assert_equal assigns['user'], @admin_user
end
def test_update_password_successful
post :update_password # should fail because no login
get :change_password # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
@user = @request.session['user_id']
get :change_password # should now pass because we're logged in
assert_success
assert_equal assigns['page_title'], "TRACKS::Change password"
post :update_password, :updateuser => {:password => 'newpassword', :password_confirmation => 'newpassword'}
assert_redirected_to :controller => 'user', :action => 'preferences'
assert_equal @admin_user.password, Digest::SHA1.hexdigest("#{SALT}--newpassword--")
@updated_user = User.find(users(:admin_user).id)
assert_equal @updated_user.password, Digest::SHA1.hexdigest("#{SALT}--newpassword--")
assert_equal flash['notice'], "Password updated."
end
def test_update_password_no_confirmation
post :update_password # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
post :update_password, :updateuser => {:password => 'newpassword', :password_confirmation => 'wrong'}
assert_redirected_to :controller => 'user', :action => 'change_password'
assert !@admin_user.save
assert users(:admin_user).save, false
assert_equal flash['warning'], 'There was a problem saving the password. Please retry.'
end
def test_update_password_validation_errors
post :update_password # should fail because no login
assert_redirected_to :controller => 'login', :action => 'login'
@request.session['user'] = @admin_user # log in the admin user
@request.session['user_id'] = users(:admin_user).id # log in the admin user
post :update_password, :updateuser => {:password => 'ba', :password_confirmation => 'ba'}
assert_redirected_to :controller => 'user', :action => 'change_password'
assert !@admin_user.save
assert_equal 1, @admin_user.errors.count
assert_equal @admin_user.errors.on(:password), "is too short (min is 5 characters)"
assert users(:admin_user).save, false
# For some reason, no errors are being raised now.
#assert_equal 1, users(:admin_user).errors.count
#assert_equal users(:admin_user).errors.on(:password), "is too short (min is 5 characters)"
assert_equal flash['warning'], 'There was a problem saving the password. Please retry.'
end

80
tracks/test/integration/stories_test.rb Normal file
View file

@ -0,0 +1,80 @@
require "#{File.dirname(__FILE__)}/../test_helper"
class StoriesTest < ActionController::IntegrationTest
fixtures :users, :projects, :contexts, :todos, :notes
def setup
assert_equal "change-me", SALT
end
# ####################################################
# Testing login and signup by different kinds of users
# ####################################################
def test_signup_new_user_by_admin
admin = new_session_as(:admin_user,"abracadabra")
admin.goes_to_signup
admin.signs_up_with(:user => {:login => "newbie",
:password => "newbiepass",
:password_confirmation => "newbiepass"})
end
def test_signup_new_user_by_nonadmin
other_user = new_session_as(:other_user,"sesame")
other_user.goes_to_signup_as_nonadmin
end
private
module CustomAssertions
attr_reader :user
def logs_in_as(user,plain_pass)
@user = users(user)
post "/login", :user_login => @user.login,
:user_password => plain_pass,
:user_noexpiry => 'n'
assert_response :redirect
follow_redirect!
assert_response :success
assert_template "todo/list"
end
def goes_to_login
get "/login"
assert_response :success
assert_template "login/login"
end
def goes_to_signup
get "/signup"
assert_response :success
assert_template "login/signup"
end
def goes_to_signup_as_nonadmin
get "/signup"
assert_response :success
assert_template "login/nosignup"
end
def signs_up_with(options)
post "/login/create", options
assert_response :redirect
follow_redirect!
assert_response :success
assert_template "todo/list"
end
end
def new_session_as(user,plainpass)
open_session do |sess|
sess.extend(CustomAssertions)
sess.goes_to_login
sess.logs_in_as(user,plainpass)
yield sess if block_given?
end
end
end

8
tracks/test/test_helper.rb
View file

@ -4,18 +4,18 @@ require 'test_help'
class Test::Unit::TestCase
# Turn off transactional fixtures if you're working with MyISAM tables in MySQL
self.use_transactional_fixtures = false
self.use_transactional_fixtures = true
# Instantiated fixtures are slow, but give you @david where you otherwise would need people(:david)
self.use_instantiated_fixtures = true
self.use_instantiated_fixtures = false
# Add more helper methods to be used by all tests here...
# Logs in a user and returns the user object found in the session object
#
def login(login,password,expiry)
post :login, {:user_login => login, :user_password => password, :user_noexpiry => expiry}
assert_not_nil(session['user'])
return User.find(session['user'].id)
assert_not_nil(session['user_id'])
return User.find(session['user_id'])
end
# Creates a new users with the login and password given

8
tracks/test/unit/todo_test.rb
View file

@ -18,7 +18,7 @@ class TodoTest < Test::Unit::TestCase
assert_equal 2, @not_completed1.project_id
assert_equal "Call Bill Gates to find out how much he makes per day", @not_completed1.description
assert_nil @not_completed1.notes
assert_equal false, @not_completed1.done
assert_equal 0, @not_completed1.done
assert_equal "2004-11-28 16:01:00", @not_completed1.created_at.strftime("%Y-%m-%d %H:%M:%S")
assert_equal "2004-10-30", @not_completed1.due.strftime("%Y-%m-%d")
assert_nil @not_completed1.completed
@ -27,7 +27,7 @@ class TodoTest < Test::Unit::TestCase
def test_completed
assert_kind_of Todo, @completed
assert_equal true, @completed.done
assert_equal 1, @completed.done
assert_not_nil @completed.completed
end
@ -46,7 +46,7 @@ class TodoTest < Test::Unit::TestCase
@not_completed2.description = generate_random_string(101)
assert !@not_completed2.save
assert_equal 1, @not_completed2.errors.count
assert_equal "is too long (max is 100 characters)", @not_completed2.errors.on(:description)
assert_equal "is too long (maximum is 100 characters)", @not_completed2.errors.on(:description)
end
def test_validate_length_of_notes
@ -54,6 +54,6 @@ class TodoTest < Test::Unit::TestCase
@not_completed2.notes = generate_random_string(60001)
assert !@not_completed2.save
assert_equal 1, @not_completed2.errors.count
assert_equal "is too long (max is 60000 characters)", @not_completed2.errors.on(:notes)
assert_equal "is too long (maximum is 60000 characters)", @not_completed2.errors.on(:notes)
end
end

16
tracks/test/unit/user_test.rb
View file

@ -18,7 +18,7 @@ class UserTest < Test::Unit::TestCase
assert_equal "admin", @admin_user.login
assert_equal "#{Digest::SHA1.hexdigest("#{SALT}--abracadabra--")}", @admin_user.password
assert_not_nil @admin_user.word
assert_equal true, @admin_user.is_admin
assert_equal 1, @admin_user.is_admin
end
# Test a non-admin user model
@ -28,7 +28,7 @@ class UserTest < Test::Unit::TestCase
assert_equal "jane", @other_user.login
assert_equal "#{Digest::SHA1.hexdigest("#{SALT}--sesame--")}", @other_user.password
assert_not_nil @other_user.word
assert_equal false, @other_user.is_admin
assert_equal 0, @other_user.is_admin
end
# ============================================
@ -42,7 +42,7 @@ class UserTest < Test::Unit::TestCase
@other_user.password = "four"
assert !@other_user.save
assert_equal 1, @other_user.errors.count
assert_equal "is too short (min is 5 characters)", @other_user.errors.on(:password)
assert_equal "is too short (minimum is 5 characters)", @other_user.errors.on(:password)
end
# Test a password longer than 40 characters
@ -52,7 +52,7 @@ class UserTest < Test::Unit::TestCase
@other_user.password = generate_random_string(41)
assert !@other_user.save
assert_equal 1, @other_user.errors.count
assert_equal "is too long (max is 40 characters)", @other_user.errors.on(:password)
assert_equal "is too long (maximum is 40 characters)", @other_user.errors.on(:password)
end
# Test that correct length password is valid
@ -70,7 +70,7 @@ class UserTest < Test::Unit::TestCase
@other_user.password = ""
assert !@other_user.save
assert_equal 2, @other_user.errors.count
assert_equal ["is too short (min is 5 characters)", "can't be blank"], @other_user.errors.on(:password)
assert_equal ["is too short (minimum is 5 characters)", "can't be blank"], @other_user.errors.on(:password)
end
# Test a login shorter than 3 characters
@ -80,7 +80,7 @@ class UserTest < Test::Unit::TestCase
@other_user.login = "ba"
assert !@other_user.save
assert_equal 1, @other_user.errors.count
assert_equal "is too short (min is 3 characters)", @other_user.errors.on(:login)
assert_equal "is too short (minimum is 3 characters)", @other_user.errors.on(:login)
end
# Test a login longer than 80 characters
@ -90,7 +90,7 @@ class UserTest < Test::Unit::TestCase
@other_user.login = generate_random_string(81)
assert !@other_user.save
assert_equal 1, @other_user.errors.count
assert_equal "is too long (max is 80 characters)", @other_user.errors.on(:login)
assert_equal "is too long (maximum is 80 characters)", @other_user.errors.on(:login)
end
# Test that correct length login is valid
@ -108,7 +108,7 @@ class UserTest < Test::Unit::TestCase
@other_user.login = ""
assert !@other_user.save
assert_equal 2, @other_user.errors.count
assert_equal ["is too short (min is 3 characters)", "can't be blank"], @other_user.errors.on(:login)
assert_equal ["is too short (minimum is 3 characters)", "can't be blank"], @other_user.errors.on(:login)
end
end