cucumber-rails generated environment - csrf protection is turned off by default?
69 views
Skip to first unread message
nruth
Jul 8, 2010, 11:14:34 AM7/8/10
to Cukes
Does it make sense to change this default? I can see how it fits with
unit tests & controller specs but not full-stack testing where we're
driving the real pages with rack-test / selenium / etc.
It's actually a problem if you are doing something like Paypal IPN
integration where a request comes in from outside and you want to
simulate that with e.g.
post(pament_notifications_path, params_stuff)
This will fail in the full stack unless you have
protect_from_forgery :except => [:create]. With the cucumber defaults
it won't catch this.
It could also be useful to turn this on/off selectively (e.g. tagging)
but I can't figure out how to do that.
Thoughts?
unit tests & controller specs but not full-stack testing where we're
driving the real pages with rack-test / selenium / etc.
It's actually a problem if you are doing something like Paypal IPN
integration where a request comes in from outside and you want to
simulate that with e.g.
post(pament_notifications_path, params_stuff)
This will fail in the full stack unless you have
protect_from_forgery :except => [:create]. With the cucumber defaults
it won't catch this.
It could also be useful to turn this on/off selectively (e.g. tagging)
but I can't figure out how to do that.
Thoughts?
aslak hellesoy
Jul 8, 2010, 11:36:44 AM7/8/10
to cu...@googlegroups.com
On Thu, Jul 8, 2010 at 5:14 PM, nruth <nick.ru...@gmail.com> wrote:
> Does it make sense to change this default?
> Does it make sense to change this default?
What cucumber-rails-generated file are you talking about?
Aslak
> --
> You received this message because you are subscribed to the Google Groups "Cukes" group.
> To post to this group, send email to cu...@googlegroups.com.
> To unsubscribe from this group, send email to cukes+un...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/cukes?hl=en.
>
>
nruth
Jul 9, 2010, 9:15:19 AM7/9/10
to Cukes
environment/cucumber.rb around line 17
Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false
On Jul 8, 4:36 pm, aslak hellesoy <aslak.helle...@gmail.com> wrote:
Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false
On Jul 8, 4:36 pm, aslak hellesoy <aslak.helle...@gmail.com> wrote:
aslak hellesoy
Jul 9, 2010, 9:26:37 AM7/9/10
to cu...@googlegroups.com
Thanks. Please file a bug report.
Aslak
9. juli. 2010 15.15 "nruth" <nick.ru...@gmail.com>:
environment/cucumber.rb around line 17
Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false
On Jul 8, 4:36 pm, aslak hellesoy <aslak.helle...@gmail.com> wrote:
> On Thu, Jul 8, 2010 at 5:14 PM, nruth <nick.rutherf...@gmail.com> wrote:
> > Does it make sense to...
> > For more options, visit this group athttp://groups.google.com/group/cukes?hl=en.
--
You received this message because you are subscribed to the Google Groups "Cukes" group.
To post to ...
Reply all
Reply to author
Forward
0 new messages