Disable CSRF-protection when in test
environment
This commit addresses the previous error:
Error:
NotesControllerTest#test_#create_persists_a_Note_record:
DRb::DRbRemoteError: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)
test/controllers/notes_controller_test.rb|7| in `block in <class:NotesControllerTest>'
This error message is related to the fact that our controller tests are
making POST
requests to our server without a valid Cross-Site Request
Forgery Protection authenticity token. In a previous
commit, we modified the Rails test
environment default value
so that our system tests would require a valid token.
That change was made so that our tests could be strict about the
contents of our page’s <form>
elements. Since our system tests
exercise our system in a way that is most similar to our end-users,
being strict about security measures is important.
On the other hand, our controller tests interact with our application strictly through HTTP requests, one layer of abstraction removed from a web browser. With this in mind, returning to the Rails-provided defaults feels like an appropriate trade-off between security and test-code clarity and simplicity.
To account for that, this commit also adds setup
and teardown
hooks to our ApplicationSystemTestCase
to toggle
CSRF-protection on for system tests.
With those configuration changes in-place, our system tests are still passing, and our controller tests are raising more actionable error messages:
Failure:
NotesControllerTest#test_#create_persists_a_Note_record [test/controllers/notes_controller_test.rb:10]:
Expected: []
Actual: ["Hello, World"]