Back story:
I’m developing a new Rails site for the local Ruby user group. I’m
using
Devise to provide authentication for separate user and admin classes.

Current task:
I’m working on the create/new function for the sponsor class. Sponsors
are
an independent class and are not tied to users, admins, or other
classes.
However, only admins should be allowed to create sponsors.

The problem:
In my sponsor controller tests, I’m unable to prevent users and
unauthenticated visitors from creating new sponsors without also
preventing
admins from doing so. Troubleshooting with the puts command reveals
that
the admin_signed_in? value is false EVEN AFTER loggin in.

The source code of this app is
at
https://github.com/jhsu802701/ruby_mn_site/tree/sponsors_create_controller
.

Excerpt from test/controllers/sponsors_controller_test.rb:

test ‘superadmin can create a new sponsor’ do
login_as @a1

assert_difference 'Sponsor.count', 1 do
  add_past
end

assert_difference 'Sponsor.count', 1 do
  add_current
end

logout :admin

end

test ‘regular admin can create a new sponsor’ do
login_as @a3

assert_difference 'Sponsor.count', 1 do
  add_past
end

assert_difference 'Sponsor.count', 1 do
  add_current
end

logout :admin

end

test ‘user cannot create a new sponsor’ do
login_as @u1

assert_no_difference 'Sponsor.count' do
  add_past
end

assert_no_difference 'Sponsor.count' do
  add_current
end

logout :user

end

test ‘an unregistered visitor cannot create a new sponsor’ do
assert_no_difference ‘Sponsor.count’ do
add_past
end

assert_no_difference 'Sponsor.count' do
  add_current
end

end

app/controllers/sponsors_controller.rb

class SponsorsController < ApplicationController
before_filter :admin_signed_in?, except: [:index, :show]

def index
@sponsors_current = Sponsor.where(‘current=?’, true)
@sponsors_past = Sponsor.where(‘current!=?’, true)
end

def show
@sponsor = Sponsor.find(params[:id])
end

def new
@sponsor = Sponsor.new
end

def create
puts admin_signed_in?
if admin_signed_in?
@sponsor = Sponsor.new(sponsor_params)
if @sponsor.save
flash[:info] = “Sponsor added.”
redirect_to sponsors_path
else
render ‘new’
end
else
redirect_to root_path
end
end

private
def sponsor_params
params.require(:sponsor).permit(:name, :phone, :description,
:contact_email, :contact_url,
:current)
end
end

On 11 December 2015 at 17:54, Jason H., Ruby on High Speed Rails
[email protected] wrote:

In my sponsor controller tests, I’m unable to prevent users and
unauthenticated visitors from creating new sponsors without also preventing
admins from doing so. Troubleshooting with the puts command reveals that
the admin_signed_in? value is false EVEN AFTER loggin in.

You do not appear to have shown us the admin_signed_in? method.

Colin

The admin_signed_in? method comes from the Devise gem.

Thanks. Yes, this was the problem. Now I understand that this is the
proper procedure for logging in for functional tests.

This raises another question: Given my use of if statements in my def
create function, is there any point to using before_filter or
before_action
in the controller? The before_filter/before_action statement doesn’t
replace the need for those if statements.

On 2015-Dec-11, at 13:12 , Jason H., Ruby on High Speed Rails
[email protected] wrote:

The admin_signed_in? method comes from the Devise gem.

Are you using the :admin scope to do the login?

I.e., somewhere in your login_as helper there should be something like?

sign_in :admin, some_user_who_is_admin

-Rob

On 2015-Dec-11, at 14:58 , Jason H., Ruby on High Speed Rails
[email protected] wrote:

Thanks. Yes, this was the problem. Now I understand that this is the proper
procedure for logging in for functional tests.

This raises another question: Given my use of if statements in my def create
function, is there any point to using before_filter or before_action in the
controller? The before_filter/before_action statement doesn’t replace the need
for those if statements.

You could have a before_action that was something like:

before_action :require_admin, except: [ :index, :show ]

def require_admin
unless admin_signed_in?
redirect_to not_authorized_url
end
end