Ruby on rails 测试用户是否可以';t更新/销毁另一个用户';s评论
在我的小应用程序中,用户可以发布评论。这些评论只能由其所有者销毁。我正在尝试登录一个用户,创建一条评论,注销一个用户,然后尝试删除第一个用户创建的评论。然而,由于某些原因,这一行动取得了成功。这是my comments Controller,仅显示创建和更新操作以及私有方法:Ruby on rails 测试用户是否可以';t更新/销毁另一个用户';s评论,ruby-on-rails,rspec,devise,Ruby On Rails,Rspec,Devise,在我的小应用程序中,用户可以发布评论。这些评论只能由其所有者销毁。我正在尝试登录一个用户,创建一条评论,注销一个用户,然后尝试删除第一个用户创建的评论。然而,由于某些原因,这一行动取得了成功。这是my comments Controller,仅显示创建和更新操作以及私有方法: module Api module V1 class CommentsController < Api::V1::BaseController before_action :check_use
module Api
module V1
class CommentsController < Api::V1::BaseController
before_action :check_user
before_action :get_comment, only: [:destroy, :update]
respond_to :json
def destroy
if @comment.destroy
head :no_content, status: :no_content
else
render json: serialize_model(@comment.errors)
end
end
def update
if @comment.update_attributes(comment_params)
render json: serialize_model(@comment), status: :accepted
else
render json: { errors: @comment.errors }, status: :bad_request
end
end
private
def comment_params
params.require(:comment).permit(:text, :picture_id)
end
def get_comment
@comment = Comment.find_by_id(params[:id])
check_owner
end
def check_user
render json: { errors: { user: "not signed in" } }, status: :unauthorized unless user_signed_in?
end
def check_owner
render json: { errors: { user: "not the owner" } }, status: :unauthorized unless current_user.id = @comment.id
end
end
end
end
describe 'PATCH /api/comments/:id' do
context 'when it is a valid request' do
let(:attr) do
{ text: 'update' }
end
before(:each) do
setup_requirements_with_login
@comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
patch :update, id: @comment.id, comment: attr , format: :json
end
it 'creates a resource' do
body = JSON.parse(response.body)
expect(body).to include('data')
data = body['data']
expect(data['attributes']['text']).to eq('update')
end
it 'responds with 202' do
expect(response).to have_http_status(202)
end
end
context 'when the user is not logged in' do
let(:attr) do
{ text: 'update' }
end
before(:each) do
setup_requirements_without_login
@comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
patch :update, id: @comment.id, comment: attr , format: :json
end
it_behaves_like "not logged in"
end
context 'when the user is not the owner' do
let(:attr) do
{ text: 'update' }
end
before(:each) do
setup_requirements_with_login
@comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
sign_out(@user)
logout
@user2 = FactoryGirl.create(:user)
sign_in(@user2)
patch :update, id: @comment.id, comment: attr , format: :json
end
it_behaves_like "not the owner"
end
end
describe 'DELETE /api/comments/:id' do
context 'when it is a valid request' do
before(:each) do
setup_requirements_with_login
@comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
delete :destroy, id: @comment.id, format: :json
end
it 'responds with 204' do
expect(response).to have_http_status(204)
end
end
context 'when the user is not logged in' do
before(:each) do
setup_requirements_without_login
@comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
delete :destroy, id: @comment.id, format: :json
end
it_behaves_like "not logged in"
end
context 'when the user is not the owner' do
before(:each) do
setup_requirements_with_login
@comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
sign_out(@user)
logout
@user2 = FactoryGirl.create(:user)
sign_in(@user2)
delete :destroy, id: @comment.id, format: :json
end
it_behaves_like "not the owner"
end
end
我的问题是,由于某种原因,当行动不应该成功时,它却成功了。我使用pry进行调试,这让我对测试产生了更多的疑问,因为它说当前用户的id为97,而测试创建的用户id为1001和1002,这非常奇怪。我在控制器上出错了吗?或测试?您的
检查\u所有者==unless current_user.id == @comment.id
@commentid当前用户.id这会自动将关联添加到SQL查询中(其中user_id=1337),如果未找到记录,bang方法(使用!)会抛出404异常。这是控制只有所有者才能访问自己的记录的最简单方法。我会尽快接受答案,所以请允许我。应该是@comment.user\u id哦,天哪。我是一个如此轻浮的人哦,好主意。非常感谢。
unless current_user.id == @comment.id
def get_comment
@comment = current_user.comments.find! params[:id]
end