prix-fixe

Expand History Expand History
Collapse History Collapse History

Disable CSRF-protection when in test environment

This commit addresses the previous error:

Error:
  NotesControllerTest#test_#create_persists_a_Note_record:
  DRb::DRbRemoteError: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)
  test/controllers/notes_controller_test.rb|7| in `block in <class:NotesControllerTest>'

This error message is related to the fact that our controller tests are making POST requests to our server without a valid Cross-Site Request Forgery Protection authenticity token. In a previous commit, we modified the Rails test environment default value so that our system tests would require a valid token.

That change was made so that our tests could be strict about the contents of our page’s <form> elements. Since our system tests exercise our system in a way that is most similar to our end-users, being strict about security measures is important.

On the other hand, our controller tests interact with our application strictly through HTTP requests, one layer of abstraction removed from a web browser. With this in mind, returning to the Rails-provided defaults feels like an appropriate trade-off between security and test-code clarity and simplicity.

To account for that, this commit also adds setup and teardown hooks to our ApplicationSystemTestCase to toggle CSRF-protection on for system tests.

With those configuration changes in-place, our system tests are still passing, and our controller tests are raising more actionable error messages:

Failure:
NotesControllerTest#test_#create_persists_a_Note_record [test/controllers/notes_controller_test.rb:10]:
Expected: []
  Actual: ["Hello, World"]