Add specs for NotificationsController [#311] #319
Conversation
| # Use callbacks to share common setup or constraints between actions. | ||
| def set_notification | ||
| begin | ||
| @notification = Notification.find(params[:id]) |
There was a problem hiding this comment.
This used to let users destroy notifications belonging to other users provided that they knew (or guessed) a valid Notification ID. I got rid of this before_action since it was only used in one place and was duplicating logic and used a more specific query in in #destroy.
| @@ -26,33 +31,14 @@ def fetch_notifications | |||
| end | |||
|
|
|||
| def signed_in | |||
| if !user_signed_in? | |||
| signed_in = -1 | |||
There was a problem hiding this comment.
This code wasn't reachable due to the if_not_signed_in before action. If the intent was for this endpoint to actually return -1 to un-authenticated users, I can restore this code and prevent the before action from acting on this action.
There was a problem hiding this comment.
So this code is being accessed in notifications.js:197. This was created to figure out whether the user is signed in from notifications.js.
There was a problem hiding this comment.
Your refactor should be fine 👍
| respond_to do |format| | ||
| format.html { redirect_to :back } | ||
| format.html { redirect_to :back } | ||
| format.json { head :no_content } | ||
| end | ||
| end | ||
|
|
||
| def clear |
There was a problem hiding this comment.
clear_notifications GET /notifications/clear(.:format) notifications#clear
fetch_notifications_notifications GET /notifications/fetch_notifications(.:format) notifications#fetch_notifications
signed_in_notifications GET /notifications/signed_in(.:format) notifications#signed_in
notifications GET /notifications(.:format) notifications#index
notification DELETE /notifications/:id(.:format) notifications#destroy
I don't think the route for clear should be using HTTP GET since destroying all notifications for a user is a very stateful request. It's also susceptible to CSRF attacks since a malicious user could give someone a relatively benign looking link like http://if-me.org/notifications/clear and the act of clicking on it (provided they were logged in) would delete all of their notifications whether they liked it or not.
Mind if I create an issue for switching this over?
Edit: logged #320
There was a problem hiding this comment.
Thanks for pointing this out! Definitely fix this 💯
|
Looks like @esBeee also made a PR related to the notifications controller (#316). Can you two sync on this? Also @esBeee, please email us at join.ifme@gmail.com to be added to our Slack. |
| @@ -1,20 +1,25 @@ | |||
| class NotificationsController < ApplicationController | |||
| before_filter :if_not_signed_in | |||
| before_action :set_notification, only: [:destroy] | |||
There was a problem hiding this comment.
I like what @esBeee did to secure notifications https://github.com/julianguyen/ifme/pull/316/files#diff-e7d2878d7ccecd38f6e3a83b5cf85053R73
There was a problem hiding this comment.
Cool, glad someone else noticed it earlier! I'll sync up and work my changes around theirs. Thanks for the heads up.
| describe '#fetch_notifications' do | ||
| let(:user) { FactoryGirl.create(:user1) } | ||
| let(:other_user) { FactoryGirl.create(:user2) } | ||
| let!(:other_user_notification) do |
There was a problem hiding this comment.
It's necessary for this one because I wanted to make sure that we were testing that fetch_notifications only returned the current user's notifications. Since this let is never explicitly invoked anywhere in the test, this second notification won't be created without the !.
|
What's the status on this @tcdowney? |
|
@tcdowney Can you rebase and let me know when it's ready to merge? Thanks :) |
tcdowney
force-pushed
the
pr/311-notifications_controller_spec
branch
from
94c0ccb to
3538e8e
Compare
- includes some minor refactoring of the notifications controller
tcdowney
force-pushed
the
pr/311-notifications_controller_spec
branch
from
3538e8e to
7e2057a
Compare
|
I rebased this branch with what's on |
|
Not sure, I'm going to rebuild your PR on CI. |
EDIT: Hmm I'm wondering if anything needs to be set up with CircleCI from your end... |
|
@tcdowney Hmm maybe you need to add yourself to the if me CircleCI org? |
|
@julianguyen, @tcdowney I don't know what this happens andela-oesho for example, have made a "passed" build... Having an account or not, should not matters to build pass or not, I will rebuild to see. |
|
@brunoocasali Are things working now? |
|
I can't understand what happened on this PR, but it already merged, we need to merge the #339 to get the new features of continuous integration (by the way there are the changes about C.I.) I suppose when he goes to be merged we have no more problems with it :D |
Issue: #311
This includes some minor refactoring of the NotificationsController.