require 'spec_helper'

module RailsBestPractices
  module Reviews
    describe ProtectMassAssignmentReview do
      let(:runner) { Core::Runner.new(prepares: [Prepares::GemfilePrepare.new, Prepares::ConfigPrepare.new, Prepares::InitializerPrepare.new],
                                      reviews: ProtectMassAssignmentReview.new) }

      it "should protect mass assignment" do
        content =<<-EOF
        class User < ActiveRecord::Base
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(1)
        expect(runner.errors[0].to_s).to eq("app/models/user.rb:1 - protect mass assignment")
      end

      it "should not protect mass assignment if attr_accessible is used with arguments and user set config.active_record.whitelist_attributes" do
        content =<<-EOF
        module RailsBestPracticesCom
          class Application < Rails::Application
            config.active_record.whitelist_attributes = true
          end
        end
        EOF
        runner.prepare('config/application.rb', content)
        content =<<-EOF
        class User < ActiveRecord::Base
          attr_accessible :email, :password, :password_confirmation
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      it "should not protect mass assignment if attr_accessible is used without arguments and user set config.active_record.whitelist_attributes" do
        content =<<-EOF
        module RailsBestPracticesCom
          class Application < Rails::Application
            config.active_record.whitelist_attributes = true
          end
        end
        EOF
        runner.prepare('config/application.rb', content)
        content =<<-EOF
        class User < ActiveRecord::Base
          attr_accessible
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      it "should not protect mass assignment with attr_protected if user set config.active_record.whitelist_attributes" do
        content =<<-EOF
        module RailsBestPracticesCom
          class Application < Rails::Application
            config.active_record.whitelist_attributes = true
          end
        end
        EOF
        runner.prepare('config/application.rb', content)
        content =<<-EOF
        class User < ActiveRecord::Base
          attr_protected :role
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      it "should not protect mass assignment if using devise" do
        content =<<-EOF
        class User < ActiveRecord::Base
          devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      it "should not protect mass assignment if using authlogic with configuration" do
        content =<<-EOF
        class User < ActiveRecord::Base
          acts_as_authentic do |c|
            c.my_config_option = my_value
          end
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      it "should not protect mass assignment if using authlogic without configuration" do
        content =<<-EOF
        class User < ActiveRecord::Base
          acts_as_authentic
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      it "should not protect mass assignment if checking non ActiveRecord::Base inherited model" do
        content =<<-EOF
        class User < Person
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end

      context "strong_parameters" do
        it "should not protect mass assignment for strong_parameters" do
          content =<<-EOF
          class User < ActiveRecord::Base
            include ActiveModel::ForbiddenAttributesProtection
          end
          EOF
          runner.review('app/models/user.rb', content)
          expect(runner.errors.size).to eq(0)
        end

        it "should not protect mass assignment for strong_parameters" do
          content =<<-EOF
          class AR
            ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
          end
          EOF
          runner.prepare('config/initializers/ar.rb', content)
          content =<<-EOF
          class User < ActiveRecord::Base
          end
          EOF
          runner.review('app/models/user.rb', content)
          expect(runner.errors.size).to eq(0)
        end
      end

      context "activerecord 4" do
        it "should not protect mass assignment for activerecord 4" do
          content =<<-EOF
  GEM
    remote: http://rubygems.org
    specs:
      activerecord (4.0.0)
          EOF
          runner.prepare('Gemfile.lock', content)
          content =<<-EOF
          class User < ActiveRecord::Base
          end
          EOF
          runner.review('app/models/user.rb', content)
          expect(runner.errors.size).to eq(0)
        end

        it "should protect mass assignment for activerecord 3" do
          content =<<-EOF
  GEM
    remote: http://rubygems.org
    specs:
      activerecord (3.2.13)
          EOF
          runner.prepare('Gemfile.lock', content)
          content =<<-EOF
          class User < ActiveRecord::Base
          end
          EOF
          runner.review('app/models/user.rb', content)
          expect(runner.errors.size).to eq(1)
        end
      end

      it "should not check ignored files" do
        runner = Core::Runner.new(prepares: [Prepares::GemfilePrepare.new, Prepares::ConfigPrepare.new, Prepares::InitializerPrepare.new],
                                  reviews: ProtectMassAssignmentReview.new(ignored_files: /app\/models\/user\.rb/))
        content =<<-EOF
        class User < ActiveRecord::Base
        end
        EOF
        runner.review('app/models/user.rb', content)
        expect(runner.errors.size).to eq(0)
      end
    end
  end
end