Question

在我的小应用中，用户可以发表评论。这些评论只能由其所有者销毁。我正在尝试登录用户，创建注释，注销用户，然后尝试删除第一个用户创建的注释。然而，由于某种原因，这一行动成功了。这是我的评论控制器，仅显示创建和更新操作以及私有方法：

module Api
  module V1
    class CommentsController < Api::V1::BaseController
      before_action :check_user
      before_action :get_comment, only: [:destroy, :update]

      respond_to :json

        def destroy
        if @comment.destroy
          head :no_content, status: :no_content
        else
          render json: serialize_model(@comment.errors)
        end
      end

      def update
        if @comment.update_attributes(comment_params)
          render json: serialize_model(@comment), status: :accepted
        else
          render json: { errors: @comment.errors }, status: :bad_request
        end
      end

    private

        def comment_params
            params.require(:comment).permit(:text, :picture_id)
        end

      def get_comment
        @comment = Comment.find_by_id(params[:id])
        check_owner
      end

      def check_user
         render json: { errors: { user: "not signed in" } }, status: :unauthorized  unless user_signed_in?
      end

      def check_owner
        render json: { errors: { user: "not the owner" } }, status: :unauthorized  unless current_user.id = @comment.id
      end
    end
  end
end

这些是我测试的共同点：

 shared_context 'comments' do
    def setup_requirements_without_login
        @user = FactoryGirl.create(:user)
      @category = FactoryGirl.create(:category)
      @picture = FactoryGirl.create(:picture, category_id: @category.id, user_id: @user.id)
    end

    def setup_requirements_with_login
        setup_requirements_without_login
      sign_in(@user)
    end

    shared_examples 'not the owner' do
        it 'creates a resource' do
            body = JSON.parse(response.body)
            expect(body).to include('errors')
            data = body['errors']
            expect(data).to include('user')
        end

        it 'responds with 401' do
            expect(response).to have_http_status(401)
        end
    end
end

这些是更新和销毁操作的测试：要求＆＃34; rails_helper＆＃34; 包括Warden :: Test :: Helpers Warden.test_mode！

RSpec.describe Api :: V1 :: CommentsController，输入:: controller do include_context＆＃39;评论＆＃39;

describe 'PATCH /api/comments/:id' do
    context 'when it is a valid request' do
        let(:attr) do 
        { text: 'update' }
    end

        before(:each) do
            setup_requirements_with_login
            @comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
            patch :update, id: @comment.id, comment: attr , format: :json
        end

        it 'creates a resource' do
            body = JSON.parse(response.body)
            expect(body).to include('data')
            data = body['data']
            expect(data['attributes']['text']).to eq('update')
        end

        it 'responds with 202' do
            expect(response).to have_http_status(202)
        end
    end

    context 'when the user is not logged in' do
        let(:attr) do 
        { text: 'update' }
    end

        before(:each) do
            setup_requirements_without_login
            @comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
            patch :update, id: @comment.id, comment: attr , format: :json
        end

        it_behaves_like "not logged in"
    end

    context 'when the user is not the owner' do
        let(:attr) do 
        { text: 'update' }
    end

        before(:each) do
            setup_requirements_with_login
            @comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
            sign_out(@user)
            logout
            @user2 = FactoryGirl.create(:user)
            sign_in(@user2)
            patch :update, id: @comment.id, comment: attr , format: :json
        end

        it_behaves_like "not the owner"
    end
end

describe 'DELETE /api/comments/:id' do
    context 'when it is a valid request' do
        before(:each) do
            setup_requirements_with_login
        @comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
            delete :destroy, id: @comment.id, format: :json
        end

        it 'responds with 204' do
            expect(response).to have_http_status(204)
        end
    end

    context 'when the user is not logged in' do
        before(:each) do
            setup_requirements_without_login
            @comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
            delete :destroy, id: @comment.id, format: :json
        end

        it_behaves_like "not logged in"
    end

    context 'when the user is not the owner' do
        before(:each) do
            setup_requirements_with_login
            @comment = FactoryGirl.create(:comment, picture_id: @picture.id, user_id: @user.id)
            sign_out(@user)
            logout
            @user2 = FactoryGirl.create(:user)
            sign_in(@user2)
            delete :destroy, id: @comment.id, format: :json
        end

        it_behaves_like "not the owner"
    end
end

端

我的问题是，由于某些原因它不应该成功。我使用pry进行调试，这让我更加质疑测试，因为当测试使用id创建用户时，current_user的id为97：1001和1002非常奇怪....我在控制器中犯了错误吗？还是测试？

Answer 1

您的check_owner函数在其除非条件中应该==而不是=：

unless current_user.id == @comment.id

否则id中的@comment会被分配到current_user.id。这可能是你97. =）

的起源

Answer 2

  def get_comment
    @comment = current_user.comments.find! params[:id]
  end

这会自动将关联添加到SQL查询（其中user_id = 1337），而bang方法（使用！）会在未找到记录时抛出404异常。这是最简单的控制方法，只有所有者才能访问自己的记录。

测试用户无法更新/销毁其他用户的评论

2 个答案: