Sha256: 5ea882caf88bbc4edc28f1064702c26a2322ff85fbfedb2fac45cf0d810eec1f
Contents?: true
Size: 1.77 KB
Versions: 16
Compression:
Stored size: 1.77 KB
Contents
# frozen_string_literal: true
RSpec.feature 'User update', type: :request do
context 'CSRF protection' do
%i[exception reset_session null_session].each do |strategy|
# Completely clean the configuration of forgery protection for the
# controller and reset it after the expectations. However, besides `:with`,
# the options given to `protect_from_forgery` are processed on the fly.
# I.e., there's no way to retain them. The initial setup corresponds to the
# dummy application, which uses the default Rails skeleton in that regard.
# So, if at some point Rails changed the given options, we should update it
# here.
around do |example|
controller = Spree::UsersController
old_allow_forgery_protection_value = controller.allow_forgery_protection
old_forgery_protection_strategy = controller.forgery_protection_strategy
controller.skip_forgery_protection
controller.allow_forgery_protection = true
controller.protect_from_forgery with: strategy
example.run
controller.allow_forgery_protection = old_allow_forgery_protection_value
controller.forgery_protection_strategy = old_forgery_protection_strategy
end
it "is not possible to take account over with the #{strategy} forgery protection strategy" do
user = create(:user, email: 'legit@mail.com', password: 'password')
post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
begin
put '/users/123456', params: 'user[email]=hacked@example.com'
rescue
# testing that the account is not compromised regardless of any raised
# exception
end
expect(user.reload.email).to eq('legit@mail.com')
end
end
end
end
Version data entries
16 entries across 16 versions & 2 rubygems