Chapter 9 exercises

app/controllers/users_controller.rb

@@ -12,10 +12,16 @@ def show
 	end
 
   def new
+    if signed_in?
+      redirect_to root_url
+    end
   	@user = User.new
   end
 
   def create
+    if signed_in?
+      redirect_to root_url
+    end
   	@user = User.new(user_params)
   	if @user.save
       sign_in @user
@@ -39,14 +45,18 @@ def update
   end
 
   def destroy
-    User.find(params[:id]).destroy
-    flash[:success] = "User deleted."
-    redirect_to users_url
+    user = User.find(params[:id])
+    if user != current_user
+      user.destroy
+      flash[:success] = "User deleted."
+      redirect_to users_url
+    end
   end
 
   private
     def user_params
-      params.require(:user).permit(:name, :email, :password, :password_confirmation)
+      params.require(:user).permit(:name, :email, :password, 
+                                   :password_confirmation)
     end  
 
     # Before filters

app/views/users/_fields.html.erb

@@ -0,0 +1,13 @@
+<%= render 'shared/error_messages' %>
+
+<%= f.label :name %>
+<%= f.text_field :name %>
+
+<%= f.label :email %>
+<%= f.text_field :email %>
+
+<%= f.label :password %>
+<%= f.password_field :password %>
+
+<%= f.label :password_confirmation, "Confirm Password" %>
+<%= f.password_field :password_confirmation %>

app/views/users/edit.html.erb

@@ -4,24 +4,11 @@
 <div class="row">
 	<div class="span6 offset3">
 		<%= form_for(@user) do |f| %>
-			<%= render 'shared/error_messages' %>
-
-			<%= f.label :name %>
-			<%= f.text_field :name %>
-
-			<%= f.label :email %>
-			<%= f.text_field :email %>
-
-			<%= f.label :password %>
-			<%= f.password_field :password %>
-
-			<%= f.label :password_confirmation, "Confirm Password" %>
-			<%= f.password_field :password_confirmation %>
-
+			<%= render 'fields', f: f %>
 			<%= f.submit "Save changes", class: "btn btn-large btn-primary" %>
 		<% end %>
 
 		<%= gravatar_for @user %>
-		<a href="http://gravatar.com/emails">change</a>
+		<a href="http://gravatar.com/emails" target="_blank">change</a>
 	</div>
 </div>

app/views/users/new.html.erb

@@ -4,20 +4,7 @@
 <div class="row">
 	<div class="span6 offset3">
 		<%= form_for(@user) do |f| %>
-			<%= render 'shared/error_messages' %>
-
-			<%= f.label :name %>
-			<%= f.text_field :name %>
-
-			<%= f.label :email %>
-			<%= f.text_field :email %>
-
-			<%= f.label :password %>
-			<%= f.password_field :password %>
-
-			<%= f.label :password_confirmation, "Confirmation" %>
-			<%= f.password_field :password_confirmation %>
-
+			<%= render 'fields', f: f %>
 			<%= f.submit "Create my account", class: "btn btn-large btn-primary" %>
 		<% end %>
 	</div>

spec/requests/authentication_pages_spec.rb

@@ -41,6 +41,9 @@
 			describe "followed by signout" do
 				before { click_link "Sign out" }
 				it { should have_link('Sign in') }
+				it { should_not have_link('Users', href: users_path) }
+				it { should_not have_link('Profile', href: user_path(user)) }
+				it { should_not have_link('Settings', href: edit_user_path(user)) }
 			end
 		end
 	end
@@ -53,9 +56,7 @@
 			describe "when attempting to visit a protected page" do
 				before do
 					visit edit_user_path(user)
-					fill_in "Email", with: user.email
-					fill_in "Password", with: user.password
-					click_button "Sign in"
+					sign_in(user)
 				end
 
 				describe "after signing in" do
@@ -80,6 +81,31 @@
 				before { visit users_path }
 				it { should have_title('Sign in') }
 			end
+
+			describe "when attempting to visit a protected page" do
+				before do
+					visit edit_user_path(user)
+					sign_in user
+				end
+
+				describe "after signing in" do
+
+					it "should render the desired protected page" do
+						expect(page).to have_title('Edit user')
+					end
+
+					describe "when signing in again" do
+						before do
+							click_link "Sign out"
+							sign_in user
+						end
+
+						it "should render the default (profile) page" do
+							expect(page).to have_title(user.name)
+						end
+					end
+				end
+			end
 		end
 
 		describe "as wrong user" do

spec/requests/user_pages_spec.rb

@@ -52,97 +52,108 @@
     end
   end
 
-  	describe "signup page" do
-  		before { visit signup_path }
-
-  		it { should have_content('Sign up') }
-  		it { should have_title(full_title('Sign up')) }
-    end
+  describe "signup page" do
+  	before { visit signup_path }
+  	
+    it { should have_content('Sign up') }
+  	it { should have_title(full_title('Sign up')) }
+  end
 
-    describe "signup" do
-      before {visit signup_path }
+  describe "signup" do
+    before {visit signup_path }
 
-      let(:submit) { "Create my account" }
+    let(:submit) { "Create my account" }
 
-      describe "with invalid information" do
-        it "should not create a user" do
-          expect { click_button submit }.not_to change(User, :count)
-        end
+    describe "with invalid information" do
+      it "should not create a user" do
+        expect { click_button submit }.not_to change(User, :count)
+      end
 
-        describe "after submission" do
-          before { click_button submit }
+      describe "after submission" do
+        before { click_button submit }
 
-          it { should have_title('Sign up') }
-          it { should have_content('error') }
-        end
+        it { should have_title('Sign up') }
+        it { should have_content('error') }
       end
+    end
 
-      describe "with valid information" do
-        before do
-          fill_in "Name", with: "Example User"
-          fill_in "Email", with: "user@example.com"
-          fill_in "Password", with: "foobar"
-          fill_in "Confirmation", with: "foobar"
-        end
+    describe "with valid information" do
+      before do
+        fill_in "Name", with: "Example User"
+        fill_in "Email", with: "user@example.com"
+        fill_in "Password", with: "foobar"
+        fill_in "Confirm Password", with: "foobar"
+      end
 
-        describe "after saving the user" do
-          before { click_button submit }
-          let(:user) { User.find_by(email: 'user@example.com') }
+      describe "after saving the user" do
+        before { click_button submit }
+        let(:user) { User.find_by(email: 'user@example.com') }
 
-          it { should have_link('Sign out', href: signout_path) }
-          it { should have_title(user.name) }
-          it {should have_selector('div.alert.alert-success', text: 'Welcome')}
-        end
+        it { should have_link('Sign out', href: signout_path) }
+        it { should have_title(user.name) }
+        it {should have_selector('div.alert.alert-success', text: 'Welcome')}
+      end
 
-        it "should create a user" do
-          expect { click_button submit }.to change(User, :count)
-        end
+      it "should create a user" do
+        expect { click_button submit }.to change(User, :count)
       end
     end
+  end
 
-    describe "profile page" do
-    	let(:user) { FactoryGirl.create(:user) }
-    	before { visit user_path(user) }
+  describe "profile page" do
+   	let(:user) { FactoryGirl.create(:user) }
+   	before { visit user_path(user) }
+
+   	it { should have_content(user.name) }
+   	it {should have_title(user.name) }
+  end
 
-    	it { should have_content(user.name) }
-    	it {should have_title(user.name) }
+  describe "edit" do 
+    let(:user) { FactoryGirl.create(:user) }
+    before do
+      sign_in user
+      visit edit_user_path(user)
     end
 
-    describe "edit" do 
-      let(:user) { FactoryGirl.create(:user) }
-      before do
-        sign_in user
-        visit edit_user_path(user)
-      end
+    describe "page" do
+      it { should have_content("Update your profile") }
+      it { should have_title("Edit user") }
+      it { should have_link('change', href: 'http://gravatar.com/emails') }
+    end
 
-      describe "page" do
-        it { should have_content("Update your profile") }
-        it { should have_title("Edit user") }
-        it { should have_link('change', href: 'http://gravatar.com/emails') }
-      end
+    describe "with invalid information" do
+      before { click_button "Save changes" }
 
-      describe "with invalid information" do
-        before { click_button "Save changes" }
+      it { should have_content('error') }
+    end
 
-        it { should have_content('error') }
+    describe "with valid information" do
+      let(:new_name) { "New Name" }
+      let(:new_email) { "new@example.com" }
+      before do
+        fill_in "Name", with: new_name
+        fill_in "Email", with: new_email
+        fill_in "Password", with: user.password
+        fill_in "Confirm Password", with: user.password
+        click_button "Save changes"
       end
 
-      describe "with valid information" do
-        let(:new_name) { "New Name" }
-        let(:new_email) { "new@example.com" }
-        before do
-          fill_in "Name", with: new_name
-          fill_in "Email", with: new_email
-          fill_in "Password", with: user.password
-          fill_in "Confirm Password", with: user.password
-          click_button "Save changes"
-        end
-
-        it { should have_title(new_name) }
-        it { should have_selector('div.alert.alert-success') }
-        it { should have_link('Sign out', href: signout_path) }
-        specify { expect(user.reload.name).to eq new_name }
-        specify { expect(user.reload.email).to eq new_email }
-      end   
+      it { should have_title(new_name) }
+      it { should have_selector('div.alert.alert-success') }
+      it { should have_link('Sign out', href: signout_path) }
+      specify { expect(user.reload.name).to eq new_name }
+      specify { expect(user.reload.email).to eq new_email }
     end
+    describe "forbidden attributes" do
+      let(:params) do
+        { user: { admin:true, password: user.password, 
+                  password_confirmation: user.password } }
+      end
+      before do
+        sign_in user, no_capybara: true
+        patch user_path(user), params
+      end
+      specify { expect(user.reload).not_to be_admin }
+    end 
+  end
 end