spec/zen/package/comments/controller/comments.rb in zen-0.3 vs spec/zen/package/comments/controller/comments.rb in zen-0.4
- old
+ new
@@ -1,8 +1,8 @@
require File.expand_path('../../../../../helper', __FILE__)
-describe('Comments::Controller::Comments') do
+describe 'Comments::Controller::Comments' do
behaves_like :capybara
index_url = Comments::Controller::Comments.r(:index).to_s
edit_url = Comments::Controller::Comments.r(:edit).to_s
save_button = lang('comments.buttons.save')
@@ -28,75 +28,79 @@
:before_delete_comment,
:after_delete_comment
)
end
- it('Submit a form without a CSRF token') do
- response = page.driver.post(
- Comments::Controller::Comments.r(:save).to_s
- )
-
- response.body.include?(lang('zen_general.errors.csrf')).should == true
- response.status.should == 403
- end
-
- it('Find no existing comments') do
+ it 'Find no existing comments' do
message = lang('comments.messages.no_comments')
visit(index_url)
page.has_content?(message).should == true
page.has_selector?('table tbody tr').should == false
end
- it('Create a new comment') do
+ it 'Create a new comment' do
comment = Comments::Model::Comment.create(
- :user_id => 1,
+ :user_id => user_id,
:section_entry_id => entry.id,
:email => 'spec@domain.tld',
:comment => 'Spec comment'
)
message = lang('comments.messages.no_comments')
visit(index_url)
+ comment.exists?.should == true
page.has_content?(message).should == false
page.has_selector?('table tbody tr').should == true
end
- it('Search for a comment') do
+ it 'Try to edit an existing comment with a missing CSRF token' do
visit(index_url)
+ click_link('Spec comment')
+
+ within '#comment_form' do
+ find('input[name="csrf_token"]').set('')
+ click_on(save_button)
+ end
+
+ page.has_content?(lang('zen_general.errors.csrf')).should == true
+ end
+
+ it 'Search for a comment' do
+ visit(index_url)
search_button = lang('zen_general.buttons.search')
error = lang('zen_general.errors.invalid_search')
- within('#search_form') do
+ within '#search_form' do
fill_in('query', :with => 'Spec comment')
click_on(search_button)
end
page.has_content?(error).should == false
page.has_content?('Spec comment').should == true
- within('#search_form') do
+ within '#search_form' do
fill_in('query', :with => 'spec@domain.tld')
click_on(search_button)
end
page.has_content?(error).should == false
page.has_content?('Spec comment').should == true
- within('#search_form') do
+ within '#search_form' do
fill_in('query', :with => 'does not exist')
click_on(search_button)
end
page.has_content?(error).should == false
page.has_content?('Spec comment').should == false
end
- it('Edit an existing comment') do
+ it 'Edit an existing comment' do
event_comment = nil
event_comment2 = nil
comment = 'Spec modified 123'
Zen::Event.listen(:before_edit_comment) do |comment|
@@ -110,11 +114,11 @@
visit(index_url)
click_link('Spec comment')
current_path.should =~ /#{edit_url}\/[0-9]+/
- within('#comment_form') do
+ within '#comment_form' do
fill_in('comment', :with => comment)
select(lang('comments.labels.open'), :from => 'comment_status_id')
click_on(save_button)
end
@@ -131,42 +135,72 @@
# Modify the comment using an event
Zen::Event.listen(:before_edit_comment) do |comment|
comment.comment = 'Spec comment modified'
end
- within('#comment_form') do
+ within '#comment_form' do
click_on(save_button)
end
page.find('textarea[name="comment"]') \
.value.should == 'Spec comment modified'
end
- it('Edit an existing comment with invalid data') do
+ it 'Edit an existing comment with invalid data' do
visit(index_url)
click_link('Spec comment')
current_path.should =~ /#{edit_url}\/[0-9]+/
- within('#comment_form') do
+ within '#comment_form' do
fill_in('comment', :with => '')
click_on(save_button)
end
page.has_selector?('span.error').should == true
end
- it('Fail to delete a set of comments without IDs') do
+ enable_javascript
+
+ it 'Automatically save a comment' do
+ visit(index_url)
+ click_link('Spec comment')
+
+ within '#comment_form' do
+ fill_in('comment', :with => 'Spec comment autosave')
+ end
+
+ autosave_form('comment_form')
+
+ visit(index_url)
+
+ # Comments are truncated in the index overview.
+ page.has_content?('Spec comment au...').should == true
+
+ click_link('Spec comment au...')
+
+ within '#comment_form' do
+ fill_in('comment', :with => 'Spec comment modified')
+ click_on(save_button)
+ end
+
+ page.has_selector?('span.error').should == false
+ page.find('textarea[name="comment"]').value.should == 'Spec comment modified'
+ end
+
+ disable_javascript
+
+ it 'Fail to delete a set of comments without IDs' do
delete_button = lang('comments.buttons.delete')
visit(index_url)
click_on(delete_button)
page.has_selector?('input[name="comment_ids[]"]').should == true
end
- it('Delete an existing comment') do
+ it 'Delete an existing comment' do
delete_button = lang('comments.buttons.delete')
message = lang('comments.messages.no_comments')
event_comment = nil
event_comment2 = nil
@@ -185,9 +219,46 @@
page.has_content?(message).should == true
page.has_selector?('table tbody tr').should == false
event_comment.should == 'Spec comment modified'
event_comment2.should == event_comment
+ end
+
+ it 'Comments should not be able to use Etanni tags' do
+ comment = Comments::Model::Comment.create(
+ :user_id => user_id,
+ :section_entry_id => entry.id,
+ :email => 'spec@domain.tld',
+ :comment => '<?r puts "hello" ?>'
+ )
+
+ comment.exists?.should == true
+
+ # Loofah completely strips the <?r ?> tags so all that remains are two
+ # backslashes.
+ comment.comment.should == '\\'
+
+ # Lets try #{}
+ comment.comment = 'hello #{name}'
+ comment.save
+
+ comment.comment.should == 'hello \#\{name\}'
+
+ comment.destroy
+ end
+
+ it 'Comments should not contain evil HTML elements' do
+ comment = Comments::Model::Comment.create(
+ :user_id => user_id,
+ :section_entry_id => entry.id,
+ :email => 'spec@domain.tld',
+ :comment => '<script src="foobar.js"></script>'
+ )
+
+ comment.exists?.should == true
+ comment.comment.empty?.should == true
+
+ comment.destroy
end
entry.destroy
section.destroy
end