raising actual ActionController::Forbidden error, test for the raise …

…in functional tests. test for the response code in acceptance test.

README.textile

@@ -26,7 +26,7 @@ In config/environments/test.rb:
     config.gem 'thoughtbot-factory_girl',
       :lib     => 'factory_girl',
       :source  => "http://gems.github.com", 
-      :version => '>= 1.1.5'
+      :version => '>= 1.2.0'
 
 Then:
 

Rakefile

@@ -13,7 +13,7 @@ namespace :test do
   end
 
   Cucumber::Rake::Task.new(:features) do |t|
-    t.cucumber_opts = "--format progress"
+    t.cucumber_opts = "--format pretty"
     t.feature_pattern = 'test/rails_root/features/*.feature'
   end  
 end

generators/clearance_features/templates/features/password_reset.feature

@@ -1,4 +1,4 @@
-Fature: Password Reset
+Feature: Password Reset
   In order to sign in even if he forgot his password
   A user
   Should be able to reset it
@@ -30,3 +30,10 @@ Fature: Password Reset
       And I sign in as "email@person.com/newpassword"
       Then I should be signed in
 
+    Scenario: User requests password reset without token
+      Given a user exists with an email of "user@one.com"
+      When I try to change the password of "user@one.com" without token
+      Then I should be forbidden
+
+
+

generators/clearance_features/templates/features/step_definitions/clearance_steps.rb

@@ -4,7 +4,13 @@
   Then %{I should see "error(s)? prohibited"}
 end
 
-# DB
+# Database
+
+Factory.factories.each do |name, factory|
+  Given /^an? #{name} exists with an? (.*) of "([^"]*)"$/ do |attr, value|
+    Factory(name, attr.gsub(' ', '_') => value)
+  end
+end
 
 Given /^there is no user with "(.*)"$/ do |email|
   assert_nil User.find_by_email(email)
@@ -68,6 +74,16 @@
   visit edit_user_password_path(:user_id => user, :token => user.token)
 end
 
+When /^I try to change the password of "(.*)" without token$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user)
+end
+
+Then /^I should be forbidden$/ do
+  assert_response :forbidden
+end
+
+
 # Actions
 
 When /^I sign in( with "remember me")? as "(.*)\/(.*)"$/ do |remember, email, password|

generators/clearance_features/templates/features/support/paths.rb

@@ -10,7 +10,6 @@ def path_to(page_name)
       new_session_path
     when /the password reset request page/i
       new_password_path
-
 
     # Add more page name => path mappings here
 

lib/clearance.rb

@@ -1,5 +1,5 @@
-class Forbidden < Exception; end
-
+require 'clearance/lib/extensions/errors'
+require 'clearance/lib/extensions/rescue'
 require 'clearance/app/controllers/application_controller'
 require 'clearance/app/controllers/confirmations_controller'
 require 'clearance/app/controllers/passwords_controller'

lib/clearance/app/controllers/application_controller.rb

@@ -7,8 +7,6 @@ def self.included(controller)
           controller.send(:include, InstanceMethods)
 
           controller.class_eval do
-            rescue_from Forbidden, :with => :forbid
-
             helper_method :current_user
             helper_method :signed_in?
 
@@ -78,10 +76,6 @@ def deny_access(flash_message = nil, opts = {})
             flash[:failure] = flash_message if flash_message
             render :template => "/sessions/new", :status => :unauthorized 
           end
-
-          def forbid
-            render :nothing => true, :status => :forbidden
-          end
         end
 
       end

lib/clearance/app/controllers/confirmations_controller.rb

@@ -35,15 +35,21 @@ module PrivateMethods
 
           def forbid_confirmed_user
             user = User.find_by_id(params[:user_id])
-            raise Forbidden if user && user.email_confirmed?
+            if user && user.email_confirmed?
+              raise ActionController::Forbidden, "confirmed user"
+            end
           end
 
           def forbid_missing_token
-            raise Forbidden if params[:token].blank?
+            if params[:token].blank?
+              raise ActionController::Forbidden, "missing token"
+            end
           end
 
           def forbid_non_existant_user
-            raise Forbidden unless User.find_by_id_and_token(params[:user_id], params[:token])
+            unless User.find_by_id_and_token(params[:user_id], params[:token])
+              raise ActionController::Forbidden, "non-existant user"
+            end
           end
 
           def url_after_create

lib/clearance/app/controllers/passwords_controller.rb

@@ -52,11 +52,15 @@ module PrivateMethods
           private
 
           def forbid_missing_token
-            raise Forbidden if params[:token].blank?
+            if params[:token].blank?
+              raise ActionController::Forbidden, "missing token"
+            end
           end
 
           def forbid_non_existant_user
-            raise Forbidden unless User.find_by_id_and_token(params[:user_id], params[:token])
+            unless User.find_by_id_and_token(params[:user_id], params[:token])
+              raise ActionController::Forbidden, "non-existant user"
+            end
           end
 
           def url_after_create

lib/clearance/lib/extensions/errors.rb

@@ -0,0 +1,4 @@
+module ActionController
+  class Forbidden < StandardError
+  end
+end

lib/clearance/lib/extensions/rescue.rb

@@ -0,0 +1 @@
+ActionController::Base.rescue_responses.update('ActionController::Forbidden' => :forbidden)

lib/clearance/test/functional/confirmations_controller_test.rb

@@ -27,42 +27,39 @@ def self.included(controller_test)
                 should_redirect_to_url_after_create
               end
 
-              context "on GET to #new with incorrect token" do
+              context "with an incorrect token" do
                 setup do 
-                  bad_token = "bad token"
-                  assert_not_equal bad_token, @user.token
-                  get :new, :user_id => @user.to_param, :token => bad_token
+                  @bad_token = "bad token"
+                  assert_not_equal @bad_token, @user.token
                 end
 
-                should_forbid
+                should_forbid "on GET to #new with incorrect token" do
+                  get :new, :user_id => @user.to_param, :token => @bad_token
+                end
               end
 
-              context "on GET to #new with blank token" do
-                setup { get :new, :user_id => @user.to_param, :token => "" }
-                should_forbid
+              should_forbid "on GET to #new with blank token" do
+                get :new, :user_id => @user.to_param, :token => ""
               end
 
-              context "on GET to #new with no token" do
-                setup { get :new, :user_id => @user.to_param }
-                should_forbid
+              should_forbid "on GET to #new with no token" do
+                get :new, :user_id => @user.to_param
               end
             end
 
             context "a user with email confirmed" do
               setup { @user = Factory(:email_confirmed_user) }
 
-              context "on GET to #new with correct id" do
-                setup { get :new, :user_id => @user.to_param }
-                should_forbid
+              should_forbid "on GET to #new with correct id" do
+                get :new, :user_id => @user.to_param
               end
             end
 
             context "no users" do
               setup { assert_equal 0, User.count }
 
-              context "on GET to #new with nonexistent id and token" do
-                setup { get :new, :user_id => '123', :token => '123' }
-                should_forbid
+              should_forbid "on GET to #new with nonexistent id and token" do
+                get :new, :user_id => '123', :token => '123'
               end
             end
 

lib/clearance/test/functional/passwords_controller_test.rb

@@ -90,14 +90,12 @@ def self.included(controller_test)
                 should_display_a_password_update_form
               end
 
-              context "on GET to #edit with correct id but blank token" do
-                setup { get :edit, :user_id => @user.to_param, :token => "" }
-                should_forbid
+              should_forbid "on GET to #edit with correct id but blank token" do
+                get :edit, :user_id => @user.to_param, :token => ""
               end
 
-              context "on GET to #edit with correct id but no token" do
-                setup { get :edit, :user_id => @user.to_param }
-                should_forbid
+              should_forbid "on GET to #edit with correct id but no token" do
+                get :edit, :user_id => @user.to_param
               end
 
               context "on PUT to #update with matching password and password confirmation" do
@@ -158,30 +156,20 @@ def self.included(controller_test)
                 should_display_a_password_update_form                       
               end
 
-              context "on PUT to #update with id but no token" do
-                setup { put :update, :user_id => @user.to_param, :token => "" }
-
-                should "not update password" do
-                  assert_not_equal @encrypted_new_password, @user.encrypted_password
-                end
-
-                should_forbid                  
+              should_forbid "on PUT to #update with id but no token" do
+                put :update, :user_id => @user.to_param, :token => ""
               end
             end
 
-            context "given two users" do
+            context "given two users and user one signs in" do
               setup do
                 @user_one = Factory(:user)
                 @user_two = Factory(:user)
+                sign_in_as @user_one
               end
 
-              context "when user one signs in" do
-                setup { sign_in_as @user_one }
-
-                context "and tries to change user two's password" do
-                  setup { get :edit, :user_id => @user_two.to_param }
-                  should_forbid
-                end
+              should_forbid "when user one tries to change user two's password on GET with no token" do
+                get :edit, :user_id => @user_two.to_param
               end
             end  
           end

shoulda_macros/clearance.rb

@@ -55,9 +55,12 @@ def should_deny_access(opts = {})
 
     # HTTP FLUENCY
 
-    def should_forbid 
-      should_respond_with :forbidden
-      should_render_nothing
+    def should_forbid(description, &block)
+      should "forbid #{description}" do
+        assert_raises ActionController::Forbidden do
+          instance_eval(&block)
+        end
+      end
     end
 
     # CONTEXTS

test/rails_root/config/environments/test.rb

@@ -23,11 +23,11 @@
 
 HOST = "localhost"
 
-  config.gem 'thoughtbot-shoulda',
-    :lib     => 'shoulda',
-    :source  => "http://gems.github.com", 
-    :version => '>= 2.9.1'
-  config.gem 'thoughtbot-factory_girl',
-    :lib     => 'factory_girl',
-    :source  => "http://gems.github.com", 
-    :version => '>= 1.1.5'
+config.gem 'thoughtbot-shoulda',
+  :lib     => 'shoulda',
+  :source  => "http://gems.github.com", 
+  :version => '>= 2.9.1'
+config.gem 'thoughtbot-factory_girl',
+  :lib     => 'factory_girl',
+  :source  => "http://gems.github.com", 
+  :version => '>= 1.2.0'