diff options
author | Pratik Naik <pratiknaik@gmail.com> | 2008-07-28 12:26:59 +0100 |
---|---|---|
committer | Pratik Naik <pratiknaik@gmail.com> | 2008-07-28 12:33:24 +0100 |
commit | 6e754551254a8cc64e034163f5d0dc155b450388 (patch) | |
tree | e697e85d8699654f04a790e5dc323c7007e87e31 /railties | |
parent | 10d9fe4bf3110c1d5de0c6b509fe0cbb9d5eda1d (diff) | |
download | rails-6e754551254a8cc64e034163f5d0dc155b450388.tar.gz rails-6e754551254a8cc64e034163f5d0dc155b450388.tar.bz2 rails-6e754551254a8cc64e034163f5d0dc155b450388.zip |
Merge docrails changes
Diffstat (limited to 'railties')
42 files changed, 2647 insertions, 0 deletions
diff --git a/railties/Rakefile b/railties/Rakefile index f64b60b0dd..174c85b59a 100644 --- a/railties/Rakefile +++ b/railties/Rakefile @@ -272,6 +272,21 @@ Rake::RDocTask.new { |rdoc| rdoc.rdoc_files.include('lib/commands/**/*.rb') } +guides = ['securing_rails_applications', 'testing_rails_applications', 'creating_plugins'] +guides_html_files = [] +guides.each do |guide_name| + input = "doc/guides/#{guide_name}/#{guide_name}.txt" + output = "doc/guides/#{guide_name}/#{guide_name}.html" + guides_html_files << output + file output => Dir["doc/guides/#{guide_name}/*.txt"] do + sh "mizuho", input, "--template", "manualsonrails", "--multi-page", + "--icons-dir", "../icons" + end +end + +desc "Generate HTML output for the guides" +task :generate_guides => guides_html_files + # Generate GEM ---------------------------------------------------------------------------- task :copy_gem_environment do diff --git a/railties/doc/guides/creating_plugins/acts_as_yaffle.txt b/railties/doc/guides/creating_plugins/acts_as_yaffle.txt new file mode 100644 index 0000000000..12d40deb18 --- /dev/null +++ b/railties/doc/guides/creating_plugins/acts_as_yaffle.txt @@ -0,0 +1,193 @@ +== Add an `acts_as_yaffle` method to ActiveRecord == + +A common pattern in plugins is to add a method called `acts_as_something` to models. In this case, you want to write a method called `acts_as_yaffle` that adds a `squawk` method to your models. + +To keep things clean, create a new test file called 'acts_as_yaffle_test.rb' in your plugin's test directory and require your test helper. + +[source, ruby] +------------------------------------------------------ +# File: vendor/plugins/yaffle/test/acts_as_yaffle_test.rb + +require File.dirname(__FILE__) + '/test_helper.rb' + +class Hickwall < ActiveRecord::Base + acts_as_yaffle +end + +class ActsAsYaffleTest < Test::Unit::TestCase +end +------------------------------------------------------ + +[source, ruby] +------------------------------------------------------ +# File: vendor/plugins/lib/acts_as_yaffle.rb + +module Yaffle +end +------------------------------------------------------ + +One of the most common plugin patterns for `acts_as_yaffle` plugins is to structure your file like so: + +[source, ruby] +------------------------------------------------------ +module Yaffle + def self.included(base) + base.send :extend, ClassMethods + end + + module ClassMethods + # any method placed here will apply to classes, like Hickwall + def acts_as_something + send :include, InstanceMethods + end + end + + module InstanceMethods + # any method placed here will apply to instaces, like @hickwall + end +end +------------------------------------------------------ + +With structure you can easily separate the methods that will be used for the class (like `Hickwall.some_method`) and the instance (like `@hickwell.some_method`). + +Let's add class method named `acts_as_yaffle` - testing it out first. You already defined the ActiveRecord models in your test helper, so if you run tests now they will fail. + +Back in your `acts_as_yaffle` file, update ClassMethods like so: + +[source, ruby] +------------------------------------------------------ +module ClassMethods + def acts_as_yaffle(options = {}) + send :include, InstanceMethods + end +end +------------------------------------------------------ + +Now that test should pass. Since your plugin is going to work with field names, you need to allow people to define the field names, in case there is a naming conflict. You can write a few simple tests for this: + +[source, ruby] +------------------------------------------------------ +# File: vendor/plugins/yaffle/test/acts_as_yaffle_test.rb + +require File.dirname(__FILE__) + '/test_helper.rb' + +class ActsAsYaffleTest < Test::Unit::TestCase + def test_a_hickwalls_yaffle_text_field_should_be_last_squawk + assert_equal "last_squawk", Hickwall.yaffle_text_field + end + + def test_a_hickwalls_yaffle_date_field_should_be_last_squawked_at + assert_equal "last_squawked_at", Hickwall.yaffle_date_field + end + + def test_a_wickwalls_yaffle_text_field_should_be_last_tweet + assert_equal "last_tweet", Wickwall.yaffle_text_field + end + + def test_a_wickwalls_yaffle_date_field_should_be_last_tweeted_at + assert_equal "last_tweeted_at", Wickwall.yaffle_date_field + end +end +------------------------------------------------------ + +To make these tests pass, you could modify your `acts_as_yaffle` file like so: + +[source, ruby] +------------------------------------------------------ +# File: vendor/plugins/yaffle/lib/acts_as_yaffle.rb + +module Yaffle + def self.included(base) + base.send :extend, ClassMethods + end + + module ClassMethods + def acts_as_yaffle(options = {}) + cattr_accessor :yaffle_text_field, :yaffle_date_field + self.yaffle_text_field = (options[:yaffle_text_field] || :last_squawk).to_s + self.yaffle_date_field = (options[:yaffle_date_field] || :last_squawked_at).to_s + send :include, InstanceMethods + end + end + + module InstanceMethods + end +end +------------------------------------------------------ + +Now you can add tests for the instance methods, and the instance method itself: + +[source, ruby] +------------------------------------------------------ +# File: vendor/plugins/yaffle/test/acts_as_yaffle_test.rb + +require File.dirname(__FILE__) + '/test_helper.rb' + +class ActsAsYaffleTest < Test::Unit::TestCase + + def test_a_hickwalls_yaffle_text_field_should_be_last_squawk + assert_equal "last_squawk", Hickwall.yaffle_text_field + end + def test_a_hickwalls_yaffle_date_field_should_be_last_squawked_at + assert_equal "last_squawked_at", Hickwall.yaffle_date_field + end + + def test_a_wickwalls_yaffle_text_field_should_be_last_squawk + assert_equal "last_tweet", Wickwall.yaffle_text_field + end + def test_a_wickwalls_yaffle_date_field_should_be_last_squawked_at + assert_equal "last_tweeted_at", Wickwall.yaffle_date_field + end + + def test_hickwalls_squawk_should_populate_last_squawk + hickwall = Hickwall.new + hickwall.squawk("Hello World") + assert_equal "squawk! Hello World", hickwall.last_squawk + end + def test_hickwalls_squawk_should_populate_last_squawked_at + hickwall = Hickwall.new + hickwall.squawk("Hello World") + assert_equal Date.today, hickwall.last_squawked_at + end + + def test_wickwalls_squawk_should_populate_last_tweet + wickwall = Wickwall.new + wickwall.squawk("Hello World") + assert_equal "squawk! Hello World", wickwall.last_tweet + end + def test_wickwalls_squawk_should_populate_last_tweeted_at + wickwall = Wickwall.new + wickwall.squawk("Hello World") + assert_equal Date.today, wickwall.last_tweeted_at + end +end +------------------------------------------------------ + +[source, ruby] +------------------------------------------------------ +# File: vendor/plugins/yaffle/lib/acts_as_yaffle.rb + +module Yaffle + def self.included(base) + base.send :extend, ClassMethods + end + + module ClassMethods + def acts_as_yaffle(options = {}) + cattr_accessor :yaffle_text_field, :yaffle_date_field + self.yaffle_text_field = (options[:yaffle_text_field] || :last_squawk).to_s + self.yaffle_date_field = (options[:yaffle_date_field] || :last_squawked_at).to_s + send :include, InstanceMethods + end + end + + module InstanceMethods + def squawk(string) + write_attribute(self.class.yaffle_text_field, string.to_squawk) + write_attribute(self.class.yaffle_date_field, Date.today) + end + end +end +------------------------------------------------------ + +Note the use of `write_attribute` to write to the field in model. diff --git a/railties/doc/guides/creating_plugins/appendix.txt b/railties/doc/guides/creating_plugins/appendix.txt new file mode 100644 index 0000000000..a78890ccd5 --- /dev/null +++ b/railties/doc/guides/creating_plugins/appendix.txt @@ -0,0 +1,46 @@ +== Appendix == + +=== References === + + * http://nubyonrails.com/articles/the-complete-guide-to-rails-plugins-part-i + * http://nubyonrails.com/articles/2006/05/09/the-complete-guide-to-rails-plugins-part-ii + * http://github.com/technoweenie/attachment_fu/tree/master + * http://daddy.platte.name/2007/05/rails-plugins-keep-initrb-thin.html + +=== Final plugin directory structure === + +The final plugin should have a directory structure that looks something like this: + +------------------------------------------------ + |-- MIT-LICENSE + |-- README + |-- Rakefile + |-- generators + | `-- yaffle + | |-- USAGE + | |-- templates + | | `-- definition.txt + | `-- yaffle_generator.rb + |-- init.rb + |-- install.rb + |-- lib + | |-- acts_as_yaffle.rb + | |-- commands.rb + | |-- core_ext.rb + | |-- routing.rb + | `-- view_helpers.rb + |-- tasks + | `-- yaffle_tasks.rake + |-- test + | |-- acts_as_yaffle_test.rb + | |-- core_ext_test.rb + | |-- database.yml + | |-- debug.log + | |-- routing_test.rb + | |-- schema.rb + | |-- test_helper.rb + | `-- view_helpers_test.rb + |-- uninstall.rb + `-- yaffle_plugin.sqlite3.db +------------------------------------------------ + diff --git a/railties/doc/guides/creating_plugins/creating_plugins.txt b/railties/doc/guides/creating_plugins/creating_plugins.txt new file mode 100644 index 0000000000..f2ed6ed8bb --- /dev/null +++ b/railties/doc/guides/creating_plugins/creating_plugins.txt @@ -0,0 +1,84 @@ +The Basics of Creating Rails Plugins +==================================== + +Pretend for a moment that you are an avid bird watcher. Your favorite bird is the Yaffle, and you want to create a plugin that allows other developers to share in the Yaffle goodness. + +In this tutorial you will learn how to create a plugin that includes: + + * Core Extensions - extending String with a `to_squawk` method: ++ +[source, ruby] +------------------------------------------- +# Anywhere +"hello!".to_squawk # => "squawk! hello!" +------------------------------------------- + +* An `acts_as_yaffle` method for ActiveRecord models that adds a `squawk` method: ++ +[source, ruby] +------------------------------------------- +class Hickwall < ActiveRecord::Base + acts_as_yaffle :yaffle_text_field => :last_sang_at +end + +Hickwall.new.squawk("Hello World") +------------------------------------------- + +* A view helper that will print out squawking info: ++ +[source, ruby] +------------------------------------------- +squawk_info_for(@hickwall) +------------------------------------------- + +* A generator that creates a migration to add squawk columns to a model: ++ +------------------------------------------- +script/generate yaffle hickwall +------------------------------------------- + +* A custom generator command: ++ +[source, ruby] +------------------------------------------- +class YaffleGenerator < Rails::Generator::NamedBase + def manifest + m.yaffle_definition + end +end +------------------------------------------- + +* A custom route method: ++ +[source, ruby] +------------------------------------------- +ActionController::Routing::Routes.draw do |map| + map.yaffles +end +------------------------------------------- + +In addition you'll learn how to: + + * test your plugins. + * work with 'init.rb', how to store model, views, controllers, helpers and even other plugins in your plugins. + * create documentation for your plugin. + * write custom Rake tasks in your plugin. + + +include::preparation.txt[] + +include::string_to_squawk.txt[] + +include::acts_as_yaffle.txt[] + +include::view_helper.txt[] + +include::migration_generator.txt[] + +include::custom_generator.txt[] + +include::custom_route.txt[] + +include::odds_and_ends.txt[] + +include::appendix.txt[] diff --git a/railties/doc/guides/creating_plugins/custom_generator.txt b/railties/doc/guides/creating_plugins/custom_generator.txt new file mode 100644 index 0000000000..6d9613ea01 --- /dev/null +++ b/railties/doc/guides/creating_plugins/custom_generator.txt @@ -0,0 +1,69 @@ +== Add a custom generator command == + +You may have noticed above that you can used one of the built-in rails migration commands `m.migration_template`. You can create your own commands for these, using the following steps: + + 1. Add the require and hook statements to init.rb. + 2. Create the commands - creating 3 sets, Create, Destroy, List. + 3. Add the method to your generator. + +Working with the internals of generators is beyond the scope of this tutorial, but here is a basic example: + +[source, ruby] +----------------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb +require "commands" +Rails::Generator::Commands::Create.send :include, Yaffle::Generator::Commands::Create +Rails::Generator::Commands::Destroy.send :include, Yaffle::Generator::Commands::Destroy +Rails::Generator::Commands::List.send :include, Yaffle::Generator::Commands::List +----------------------------------------------------------- + +[source, ruby] +----------------------------------------------------------- +# File: vendor/plugins/yaffle/lib/commands.rb + +require 'rails_generator' +require 'rails_generator/commands' + +module Yaffle #:nodoc: + module Generator #:nodoc: + module Commands #:nodoc: + module Create + def yaffle_definition + file("definition.txt", "definition.txt") + end + end + + module Destroy + def yaffle_definition + file("definition.txt", "definition.txt") + end + end + + module List + def yaffle_definition + file("definition.txt", "definition.txt") + end + end + end + end +end +----------------------------------------------------------- + +----------------------------------------------------------- +# File: vendor/plugins/yaffle/generators/yaffle/templates/definition.txt + +Yaffle is a bird +----------------------------------------------------------- + +[source, ruby] +----------------------------------------------------------- +# File: vendor/plugins/yaffle/generators/yaffle/yaffle_generator.rb + +class YaffleGenerator < Rails::Generator::NamedBase + def manifest + m.yaffle_definition + end +end +----------------------------------------------------------- + +This example just uses the built-in "file" method, but you could do anything that Ruby allows. diff --git a/railties/doc/guides/creating_plugins/custom_route.txt b/railties/doc/guides/creating_plugins/custom_route.txt new file mode 100644 index 0000000000..7e399247ee --- /dev/null +++ b/railties/doc/guides/creating_plugins/custom_route.txt @@ -0,0 +1,69 @@ +== Add a Custom Route == + +Testing routes in plugins can be complex, especially if the controllers are also in the plugin itself. Jamis Buck showed a great example of this in http://weblog.jamisbuck.org/2006/10/26/monkey-patching-rails-extending-routes-2. + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/test/routing_test.rb + +require "#{File.dirname(__FILE__)}/test_helper" + +class RoutingTest < Test::Unit::TestCase + + def setup + ActionController::Routing::Routes.draw do |map| + map.yaffles + end + end + + def test_yaffles_route + assert_recognition :get, "/yaffles", :controller => "yaffles_controller", :action => "index" + end + + private + + # yes, I know about assert_recognizes, but it has proven problematic to + # use in these tests, since it uses RouteSet#recognize (which actually + # tries to instantiate the controller) and because it uses an awkward + # parameter order. + def assert_recognition(method, path, options) + result = ActionController::Routing::Routes.recognize_path(path, :method => method) + assert_equal options, result + end +end +-------------------------------------------------------- + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +require "routing" +ActionController::Routing::RouteSet::Mapper.send :include, Yaffle::Routing::MapperExtensions +-------------------------------------------------------- + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/lib/routing.rb + +module Yaffle #:nodoc: + module Routing #:nodoc: + module MapperExtensions + def yaffles + @set.add_route("/yaffles", {:controller => "yaffles_controller", :action => "index"}) + end + end + end +end +-------------------------------------------------------- + +[source, ruby] +-------------------------------------------------------- +# File: config/routes.rb + +ActionController::Routing::Routes.draw do |map| + ... + map.yaffles +end +-------------------------------------------------------- + +You can also see if your routes work by running `rake routes` from your app directory. diff --git a/railties/doc/guides/creating_plugins/migration_generator.txt b/railties/doc/guides/creating_plugins/migration_generator.txt new file mode 100644 index 0000000000..598a0c8437 --- /dev/null +++ b/railties/doc/guides/creating_plugins/migration_generator.txt @@ -0,0 +1,89 @@ +== Create a migration generator == + +When you created the plugin above, you specified the --with-generator option, so you already have the generator stubs in your plugin. + +We'll be relying on the built-in rails generate template for this tutorial. Going into the details of generators is beyond the scope of this tutorial. + +Type: + + script/generate + +You should see the line: + + Plugins (vendor/plugins): yaffle + +When you run `script/generate yaffle` you should see the contents of your USAGE file. For this plugin, the USAGE file looks like this: + +------------------------------------------------------------------ +Description: + Creates a migration that adds yaffle squawk fields to the given model + +Example: + ./script/generate yaffle hickwall + + This will create: + db/migrate/TIMESTAMP_add_yaffle_fields_to_hickwall +------------------------------------------------------------------ + +Now you can add code to your generator: + +[source, ruby] +------------------------------------------------------------------ +# File: vendor/plugins/yaffle/generators/yaffle/yaffle_generator.rb + +class YaffleGenerator < Rails::Generator::NamedBase + def manifest + record do |m| + m.migration_template 'migration:migration.rb', "db/migrate", {:assigns => yaffle_local_assigns, + :migration_file_name => "add_yaffle_fields_to_#{custom_file_name}" + } + end + end + + private + def custom_file_name + custom_name = class_name.underscore.downcase + custom_name = custom_name.pluralize if ActiveRecord::Base.pluralize_table_names + end + + def yaffle_local_assigns + returning(assigns = {}) do + assigns[:migration_action] = "add" + assigns[:class_name] = "add_yaffle_fields_to_#{custom_file_name}" + assigns[:table_name] = custom_file_name + assigns[:attributes] = [Rails::Generator::GeneratedAttribute.new("last_squawk", "string")] + assigns[:attributes] << Rails::Generator::GeneratedAttribute.new("last_squawked_at", "datetime") + end + end +end +------------------------------------------------------------------ + +Note that you need to be aware of whether or not table names are pluralized. + +This does a few things: + + * Reuses the built in rails `migration_template` method. + * Reuses the built-in rails migration template. + +When you run the generator like + + script/generate yaffle bird + +You will see a new file: + +[source, ruby] +------------------------------------------------------------------ +# File: db/migrate/20080529225649_add_yaffle_fields_to_birds.rb + +class AddYaffleFieldsToBirds < ActiveRecord::Migration + def self.up + add_column :birds, :last_squawk, :string + add_column :birds, :last_squawked_at, :datetime + end + + def self.down + remove_column :birds, :last_squawked_at + remove_column :birds, :last_squawk + end +end +------------------------------------------------------------------ diff --git a/railties/doc/guides/creating_plugins/odds_and_ends.txt b/railties/doc/guides/creating_plugins/odds_and_ends.txt new file mode 100644 index 0000000000..eb127f73ca --- /dev/null +++ b/railties/doc/guides/creating_plugins/odds_and_ends.txt @@ -0,0 +1,122 @@ +== Odds and ends == + +=== Work with init.rb === + +The plugin initializer script 'init.rb' is invoked via `eval` (not `require`) so it has slightly different behavior. + +If you reopen any classes in init.rb itself your changes will potentially be made to the wrong module. There are 2 ways around this: + +The first way is to explicitly define the top-level module space for all modules and classes, like `::Hash`: + +[source, ruby] +--------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +class ::Hash + def is_a_special_hash? + true + end +end +--------------------------------------------------- + +OR you can use `module_eval` or `class_eval`: + +--------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +Hash.class_eval do + def is_a_special_hash? + true + end +end +--------------------------------------------------- + +=== Generate RDoc Documentation === + +Once your plugin is stable, the tests pass on all database and you are ready to deploy do everyone else a favor and document it! Luckily, writing documentation for your plugin is easy. + +The first step is to update the README file with detailed information about how to use your plugin. A few key things to include are: + + * Your name. + * How to install. + * How to add the functionality to the app (several examples of common use cases). + * Warning, gotchas or tips that might help save users time. + +Once your README is solid, go through and add rdoc comments to all of the methods that developers will use. + +Before you generate your documentation, be sure to go through and add nodoc comments to those modules and methods that are not important to your users. + +Once your comments are good to go, navigate to your plugin directory and run: + + rake rdoc + + +=== Store models, views, helpers, and controllers in your plugins === + +You can easily store models, views, helpers and controllers in plugins. Just create a folder for each in the lib folder, add them to the load path and remove them from the load once path: + +[source, ruby] +--------------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +%w{ models controllers helpers }.each do |dir| + path = File.join(directory, 'lib', dir) + $LOAD_PATH << path + Dependencies.load_paths << path + Dependencies.load_once_paths.delete(path) +end +--------------------------------------------------------- + +Adding directories to the load path makes them appear just like files in the the main app directory - except that they are only loaded once, so you have to restart the web server to see the changes in the browser. + +Adding directories to the load once paths allow those changes to picked up as soon as you save the file - without having to restart the web server. + + +=== Write custom Rake tasks in your plugin === + +When you created the plugin with the built-in rails generator, it generated a rake file for you in 'vendor/plugins/yaffle/tasks/yaffle.rake'. Any rake task you add here will be available to the app. + +Many plugin authors put all of their rake tasks into a common namespace that is the same as the plugin, like so: + +[source, ruby] +--------------------------------------------------------- +# File: vendor/plugins/yaffle/tasks/yaffle.rake + +namespace :yaffle do + desc "Prints out the word 'Yaffle'" + task :squawk => :environment do + puts "squawk!" + end +end +--------------------------------------------------------- + +When you run `rake -T` from your plugin you will see: + +--------------------------------------------------------- +yaffle:squawk # Prints out the word 'Yaffle' +--------------------------------------------------------- + +You can add as many files as you want in the tasks directory, and if they end in .rake Rails will pick them up. + +=== Store plugins in alternate locations === + +You can store plugins wherever you want - you just have to add those plugins to the plugins path in 'environment.rb'. + +Since the plugin is only loaded after the plugin paths are defined, you can't redefine this in your plugins - but it may be good to now. + +You can even store plugins inside of other plugins for complete plugin madness! + +[source, ruby] +--------------------------------------------------------- +config.plugin_paths << File.join(RAILS_ROOT,"vendor","plugins","yaffle","lib","plugins") +--------------------------------------------------------- + +=== Create your own Plugin Loaders and Plugin Locators === + +If the built-in plugin behavior is inadequate, you can change almost every aspect of the location and loading process. You can write your own plugin locators and plugin loaders, but that's beyond the scope of this tutorial. + + +=== Use Custom Plugin Generators === + +If you are an RSpec fan, you can install the `rspec_plugin_generator` gem, which will generate the spec folder and database for you. See http://github.com/pat-maddox/rspec-plugin-generator/tree/master. + diff --git a/railties/doc/guides/creating_plugins/preparation.txt b/railties/doc/guides/creating_plugins/preparation.txt new file mode 100644 index 0000000000..77e3a3561f --- /dev/null +++ b/railties/doc/guides/creating_plugins/preparation.txt @@ -0,0 +1,169 @@ +== Preparation == + +=== Create the basic app === + +In this tutorial we will create a basic rails application with 1 resource: bird. Start out by building the basic rails app: + +------------------------------------------------ +rails plugin_demo +cd plugin_demo +script/generate scaffold bird name:string +rake db:migrate +script/server +------------------------------------------------ + +Then navigate to http://localhost:3000/birds. Make sure you have a functioning rails app before continuing. + +NOTE: The aforementioned instructions will work for sqlite3. For more detailed instructions on how to create a rails app for other databases see the API docs. + + +=== Create the plugin === + +The built-in Rails plugin generator stubs out a new plugin. Pass the plugin name, either 'CamelCased' or 'under_scored', as an argument. Pass `\--with-generator` to add an example generator also. + +This creates a plugin in 'vendor/plugins' including an 'init.rb' and 'README' as well as standard 'lib', 'task', and 'test' directories. + +Examples: +---------------------------------------------- +./script/generate plugin BrowserFilters +./script/generate plugin BrowserFilters --with-generator +---------------------------------------------- + +Later in the plugin we will create a generator, so go ahead and add the `\--with-generator` option now: + +---------------------------------------------- +script/generate plugin yaffle --with-generator +---------------------------------------------- + +You should see the following output: + +---------------------------------------------- +create vendor/plugins/yaffle/lib +create vendor/plugins/yaffle/tasks +create vendor/plugins/yaffle/test +create vendor/plugins/yaffle/README +create vendor/plugins/yaffle/MIT-LICENSE +create vendor/plugins/yaffle/Rakefile +create vendor/plugins/yaffle/init.rb +create vendor/plugins/yaffle/install.rb +create vendor/plugins/yaffle/uninstall.rb +create vendor/plugins/yaffle/lib/yaffle.rb +create vendor/plugins/yaffle/tasks/yaffle_tasks.rake +create vendor/plugins/yaffle/test/core_ext_test.rb +create vendor/plugins/yaffle/generators +create vendor/plugins/yaffle/generators/yaffle +create vendor/plugins/yaffle/generators/yaffle/templates +create vendor/plugins/yaffle/generators/yaffle/yaffle_generator.rb +create vendor/plugins/yaffle/generators/yaffle/USAGE +---------------------------------------------- + +For this plugin you won't need the file 'vendor/plugins/yaffle/lib/yaffle.rb' so you can delete that. + +---------------------------------------------- +rm vendor/plugins/yaffle/lib/yaffle.rb +---------------------------------------------- + +.Editor's note: +NOTE: Many plugin authors prefer to keep this file, and add all of the require statements in it. That way, they only line in init.rb would be `require "yaffle"`. If you are developing a plugin that has a lot of files in the lib directory, you may want to create a subdirectory like lib/yaffle and store your files in there. That way your init.rb file stays clean + + +=== Setup the plugin for testing === + +Testing plugins that use the entire Rails stack can be complex, and the generator doesn't offer any help. In this tutorial you will learn how to test your plugin against multiple different adapters using ActiveRecord. This tutorial will not cover how to use fixtures in plugin tests. + +To setup your plugin to allow for easy testing you'll need to add 3 files: + + * A 'database.yml' file with all of your connection strings. + * A 'schema.rb' file with your table definitions. + * A test helper that sets up the database before your tests. + +For this plugin you'll need 2 tables/models, Hickwalls and Wickwalls, so add the following files: + +*vendor/plugins/yaffle/test/database.yml:* + +---------------------------------------------- +sqlite: + :adapter: sqlite + :dbfile: yaffle_plugin.sqlite.db + +sqlite3: + :adapter: sqlite3 + :dbfile: yaffle_plugin.sqlite3.db + +postgresql: + :adapter: postgresql + :username: postgres + :password: postgres + :database: yaffle_plugin_test + :min_messages: ERROR + +mysql: + :adapter: mysql + :host: localhost + :username: rails + :password: + :database: yaffle_plugin_test +---------------------------------------------- + +*vendor/plugins/yaffle/test/test_helper.rb:* + +[source, ruby] +---------------------------------------------- +ActiveRecord::Schema.define(:version => 0) do + create_table :hickwalls, :force => true do |t| + t.string :name + t.string :last_squawk + t.datetime :last_squawked_at + end + create_table :wickwalls, :force => true do |t| + t.string :name + t.string :last_tweet + t.datetime :last_tweeted_at + end +end + +# File: vendor/plugins/yaffle/test/test_helper.rb + +ENV['RAILS_ENV'] = 'test' +ENV['RAILS_ROOT'] ||= File.dirname(__FILE__) + '/../../../..' + +require 'test/unit' +require File.expand_path(File.join(ENV['RAILS_ROOT'], 'config/environment.rb')) + +config = YAML::load(IO.read(File.dirname(__FILE__) + '/database.yml')) +ActiveRecord::Base.logger = Logger.new(File.dirname(__FILE__) + "/debug.log") + +db_adapter = ENV['DB'] + +# no db passed, try one of these fine config-free DBs before bombing. +db_adapter ||= + begin + require 'rubygems' + require 'sqlite' + 'sqlite' + rescue MissingSourceFile + begin + require 'sqlite3' + 'sqlite3' + rescue MissingSourceFile + end + end + +if db_adapter.nil? + raise "No DB Adapter selected. Pass the DB= option to pick one, or install Sqlite or Sqlite3." +end + +ActiveRecord::Base.establish_connection(config[db_adapter]) + +load(File.dirname(__FILE__) + "/schema.rb") + +require File.dirname(__FILE__) + '/../init.rb' + +class Hickwall < ActiveRecord::Base + acts_as_yaffle +end + +class Wickwall < ActiveRecord::Base + acts_as_yaffle :yaffle_text_field => :last_tweet, :yaffle_date_field => :last_tweeted_at +end +---------------------------------------------- diff --git a/railties/doc/guides/creating_plugins/string_to_squawk.txt b/railties/doc/guides/creating_plugins/string_to_squawk.txt new file mode 100644 index 0000000000..50516cef69 --- /dev/null +++ b/railties/doc/guides/creating_plugins/string_to_squawk.txt @@ -0,0 +1,103 @@ +== Add a `to_squawk` method to String == + +To update a core class you will have to: + + * Write tests for the desired functionality. + * Create a file for the code you wish to use. + * Require that file from your 'init.rb'. + +Most plugins store their code classes in the plugin's lib directory. When you add a file to the lib directory, you must also require that file from 'init.rb'. The file you are going to add for this tutorial is 'lib/core_ext.rb'. + +First, you need to write the tests. Testing plugins is very similar to testing rails apps. The generated test file should look something like this: + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/test/core_ext_test.rb + +require 'test/unit' + +class CoreExtTest < Test::Unit::TestCase + # Replace this with your real tests. + def test_this_plugin + flunk + end +end +-------------------------------------------------------- + +Start off by removing the default test, and adding a require statement for your test helper. + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/test/core_ext_test.rb + +require 'test/unit' +require File.dirname(__FILE__) + '/test_helper.rb' + +class CoreExtTest < Test::Unit::TestCase +end +-------------------------------------------------------- + +Navigate to your plugin directory and run `rake test`: + +-------------------------------------------------------- +cd vendor/plugins/yaffle +rake test +-------------------------------------------------------- + +Your test should fail with `no such file to load -- ./test/../lib/core_ext.rb (LoadError)` because we haven't created any file yet. Create the file 'lib/core_ext.rb' and re-run the tests. You should see a different error message: + +-------------------------------------------------------- +1.) Failure ... +No tests were specified +-------------------------------------------------------- + +Great - now you are ready to start development. The first thing we'll do is to add a method to String called `to_squawk` which will prefix the string with the word ``squawk!''. The test will look something like this: + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +class CoreExtTest < Test::Unit::TestCase + def test_string_should_respond_to_squawk + assert_equal true, "".respond_to?(:to_squawk) + end + + def test_string_prepend_empty_strings_with_the_word_squawk + assert_equal "squawk!", "".to_squawk + end + + def test_string_prepend_non_empty_strings_with_the_word_squawk + assert_equal "squawk! Hello World", "Hello World".to_squawk + end +end +-------------------------------------------------------- + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +require "core_ext" +-------------------------------------------------------- + +[source, ruby] +-------------------------------------------------------- +# File: vendor/plugins/yaffle/lib/core_ext.rb + +String.class_eval do + def to_squawk + "squawk! #{self}".strip + end +end +-------------------------------------------------------- + +When monkey-patching existing classes it's often better to use `class_eval` instead of opening the class directly. + +To test that your method does what it says it does, run the unit tests. To test this manually, fire up a console and start squawking: + +-------------------------------------------------------- +$ ./script/console +>> "Hello World".to_squawk +=> "squawk! Hello World" +-------------------------------------------------------- + +If that worked, congratulations! You just created your first test-driven plugin that extends a core ruby class. diff --git a/railties/doc/guides/creating_plugins/view_helper.txt b/railties/doc/guides/creating_plugins/view_helper.txt new file mode 100644 index 0000000000..b03a190e1a --- /dev/null +++ b/railties/doc/guides/creating_plugins/view_helper.txt @@ -0,0 +1,61 @@ +== Create a `squawk_info_for` view helper == + +Creating a view helper is a 3-step process: + + * Add an appropriately named file to the 'lib' directory. + * Require the file and hooks in 'init.rb'. + * Write the tests. + +First, create the test to define the functionality you want: + +[source, ruby] +--------------------------------------------------------------- +# File: vendor/plugins/yaffle/test/view_helpers_test.rb + +require File.dirname(__FILE__) + '/test_helper.rb' +include YaffleViewHelper + +class ViewHelpersTest < Test::Unit::TestCase + def test_squawk_info_for_should_return_the_text_and_date + time = Time.now + hickwall = Hickwall.new + hickwall.last_squawk = "Hello World" + hickwall.last_squawked_at = time + assert_equal "Hello World, #{time.to_s}", squawk_info_for(hickwall) + end +end +--------------------------------------------------------------- + +Then add the following statements to init.rb: + +[source, ruby] +--------------------------------------------------------------- +# File: vendor/plugins/yaffle/init.rb + +require "view_helpers" +ActionView::Base.send :include, YaffleViewHelper +--------------------------------------------------------------- + +Then add the view helpers file and + +[source, ruby] +--------------------------------------------------------------- +# File: vendor/plugins/yaffle/lib/view_helpers.rb + +module YaffleViewHelper + def squawk_info_for(yaffle) + returning "" do |result| + result << yaffle.read_attribute(yaffle.class.yaffle_text_field) + result << ", " + result << yaffle.read_attribute(yaffle.class.yaffle_date_field).to_s + end + end +end +--------------------------------------------------------------- + +You can also test this in script/console by using the `helper` method: + +--------------------------------------------------------------- +$ ./script/console +>> helper.squawk_info_for(@some_yaffle_instance) +--------------------------------------------------------------- diff --git a/railties/doc/guides/icons/README b/railties/doc/guides/icons/README new file mode 100644 index 0000000000..f12b2a730c --- /dev/null +++ b/railties/doc/guides/icons/README @@ -0,0 +1,5 @@ +Replaced the plain DocBook XSL admonition icons with Jimmac's DocBook +icons (http://jimmac.musichall.cz/ikony.php3). I dropped transparency +from the Jimmac icons to get round MS IE and FOP PNG incompatibilies. + +Stuart Rackham diff --git a/railties/doc/guides/icons/callouts/1.png b/railties/doc/guides/icons/callouts/1.png Binary files differnew file mode 100644 index 0000000000..7d473430b7 --- /dev/null +++ b/railties/doc/guides/icons/callouts/1.png diff --git a/railties/doc/guides/icons/callouts/10.png b/railties/doc/guides/icons/callouts/10.png Binary files differnew file mode 100644 index 0000000000..997bbc8246 --- /dev/null +++ b/railties/doc/guides/icons/callouts/10.png diff --git a/railties/doc/guides/icons/callouts/11.png b/railties/doc/guides/icons/callouts/11.png Binary files differnew file mode 100644 index 0000000000..ce47dac3f5 --- /dev/null +++ b/railties/doc/guides/icons/callouts/11.png diff --git a/railties/doc/guides/icons/callouts/12.png b/railties/doc/guides/icons/callouts/12.png Binary files differnew file mode 100644 index 0000000000..31daf4e2f2 --- /dev/null +++ b/railties/doc/guides/icons/callouts/12.png diff --git a/railties/doc/guides/icons/callouts/13.png b/railties/doc/guides/icons/callouts/13.png Binary files differnew file mode 100644 index 0000000000..14021a89c2 --- /dev/null +++ b/railties/doc/guides/icons/callouts/13.png diff --git a/railties/doc/guides/icons/callouts/14.png b/railties/doc/guides/icons/callouts/14.png Binary files differnew file mode 100644 index 0000000000..64014b75fe --- /dev/null +++ b/railties/doc/guides/icons/callouts/14.png diff --git a/railties/doc/guides/icons/callouts/15.png b/railties/doc/guides/icons/callouts/15.png Binary files differnew file mode 100644 index 0000000000..0d65765fcf --- /dev/null +++ b/railties/doc/guides/icons/callouts/15.png diff --git a/railties/doc/guides/icons/callouts/2.png b/railties/doc/guides/icons/callouts/2.png Binary files differnew file mode 100644 index 0000000000..5d09341b2f --- /dev/null +++ b/railties/doc/guides/icons/callouts/2.png diff --git a/railties/doc/guides/icons/callouts/3.png b/railties/doc/guides/icons/callouts/3.png Binary files differnew file mode 100644 index 0000000000..ef7b700471 --- /dev/null +++ b/railties/doc/guides/icons/callouts/3.png diff --git a/railties/doc/guides/icons/callouts/4.png b/railties/doc/guides/icons/callouts/4.png Binary files differnew file mode 100644 index 0000000000..adb8364eb5 --- /dev/null +++ b/railties/doc/guides/icons/callouts/4.png diff --git a/railties/doc/guides/icons/callouts/5.png b/railties/doc/guides/icons/callouts/5.png Binary files differnew file mode 100644 index 0000000000..4d7eb46002 --- /dev/null +++ b/railties/doc/guides/icons/callouts/5.png diff --git a/railties/doc/guides/icons/callouts/6.png b/railties/doc/guides/icons/callouts/6.png Binary files differnew file mode 100644 index 0000000000..0ba694af6c --- /dev/null +++ b/railties/doc/guides/icons/callouts/6.png diff --git a/railties/doc/guides/icons/callouts/7.png b/railties/doc/guides/icons/callouts/7.png Binary files differnew file mode 100644 index 0000000000..472e96f8ac --- /dev/null +++ b/railties/doc/guides/icons/callouts/7.png diff --git a/railties/doc/guides/icons/callouts/8.png b/railties/doc/guides/icons/callouts/8.png Binary files differnew file mode 100644 index 0000000000..5e60973c21 --- /dev/null +++ b/railties/doc/guides/icons/callouts/8.png diff --git a/railties/doc/guides/icons/callouts/9.png b/railties/doc/guides/icons/callouts/9.png Binary files differnew file mode 100644 index 0000000000..a0676d26cc --- /dev/null +++ b/railties/doc/guides/icons/callouts/9.png diff --git a/railties/doc/guides/icons/caution.png b/railties/doc/guides/icons/caution.png Binary files differnew file mode 100644 index 0000000000..cb9d5ea0df --- /dev/null +++ b/railties/doc/guides/icons/caution.png diff --git a/railties/doc/guides/icons/example.png b/railties/doc/guides/icons/example.png Binary files differnew file mode 100644 index 0000000000..bba1c0010d --- /dev/null +++ b/railties/doc/guides/icons/example.png diff --git a/railties/doc/guides/icons/home.png b/railties/doc/guides/icons/home.png Binary files differnew file mode 100644 index 0000000000..37a5231bac --- /dev/null +++ b/railties/doc/guides/icons/home.png diff --git a/railties/doc/guides/icons/important.png b/railties/doc/guides/icons/important.png Binary files differnew file mode 100644 index 0000000000..1096c23295 --- /dev/null +++ b/railties/doc/guides/icons/important.png diff --git a/railties/doc/guides/icons/next.png b/railties/doc/guides/icons/next.png Binary files differnew file mode 100644 index 0000000000..64e126bdda --- /dev/null +++ b/railties/doc/guides/icons/next.png diff --git a/railties/doc/guides/icons/note.png b/railties/doc/guides/icons/note.png Binary files differnew file mode 100644 index 0000000000..841820f7c4 --- /dev/null +++ b/railties/doc/guides/icons/note.png diff --git a/railties/doc/guides/icons/prev.png b/railties/doc/guides/icons/prev.png Binary files differnew file mode 100644 index 0000000000..3e8f12fe24 --- /dev/null +++ b/railties/doc/guides/icons/prev.png diff --git a/railties/doc/guides/icons/tip.png b/railties/doc/guides/icons/tip.png Binary files differnew file mode 100644 index 0000000000..a3a029d898 --- /dev/null +++ b/railties/doc/guides/icons/tip.png diff --git a/railties/doc/guides/icons/up.png b/railties/doc/guides/icons/up.png Binary files differnew file mode 100644 index 0000000000..2db1ce62fa --- /dev/null +++ b/railties/doc/guides/icons/up.png diff --git a/railties/doc/guides/icons/warning.png b/railties/doc/guides/icons/warning.png Binary files differnew file mode 100644 index 0000000000..0b0c419df2 --- /dev/null +++ b/railties/doc/guides/icons/warning.png diff --git a/railties/doc/guides/securing_rails_applications/creating_records_directly_from_form_parameters.txt b/railties/doc/guides/securing_rails_applications/creating_records_directly_from_form_parameters.txt new file mode 100644 index 0000000000..b237c4a17f --- /dev/null +++ b/railties/doc/guides/securing_rails_applications/creating_records_directly_from_form_parameters.txt @@ -0,0 +1,86 @@ +== Creating records directly from form parameters == + +=== The problem === + +Let's say you want to make a user registration system. Your users table looks like this: + +------------------------------------------------------- +CREATE TABLE users ( + id INTEGER PRIMARY KEY, + name VARCHAR(20) NOT NULL, -- the login name + password VARCHAR(20) NOT NULL, + role VARCHAR(20) NOT NULL DEFAULT "User", -- e.g. "Admin", "Moderator, "User" + approved INTEGER NOT NULL DEFAULT 0 -- is the registered accound approved by the administrator? +); + +CREATE UNIQUE INDEX users_name_unique ON users(name); +------------------------------------------------------- + +The registration form: + +[source, xhtml] +------------------------------------------------------- +<form method="post" action="http://website.domain/user/register"> + <input type="text" name="user[name]" /> + <input type="text" name="user[password]" /> +</form> +------------------------------------------------------- + +The easiest way to create a user object from the form data in the controller is: + +[source, ruby] +------------------------------------------------------- +User.create(params[:user]) +------------------------------------------------------- + +But what happens if someone decides to save the registration form to his disk and play around with adding a few fields? + +[source, xhtml] +------------------------------------------------------- +<form method="post" action="http://website.domain/user/register"> + <input type="text" name="user[name]" /> + <input type="text" name="user[password]" /> + <input type="text" name="user[role]" value="Admin" /> + <input type="text" name="user[approved]" value="1" /> +</form> +------------------------------------------------------- + +He can create an account, make himself admin and approve his own account with one click. + +=== The solution === + +Active Record provides two ways of securing sensitive attributes from being overwritten by malicious users that change the form. The first is `attr_protected` that denies mass-assignment the right to change the named parameters. + +Using `attr_protected`, we can secure the User models like this: + +[source, ruby] +------------------------------------------------------- +class User < ActiveRecord::Base + attr_protected :approved, :role +end +------------------------------------------------------- + +This will ensure that on doing `User.create(params[:user])` both `params[:user][:approved]` and `params[:user][:role]` will be ignored. You'll have to manually set them like this: + +[source, ruby] +------------------------------------------------------- +user = User.new(params[:user]) +user.approved = sanitize_properly(params[:user][:approved]) +user.role = sanitize_properly(params[:user][:role]) +------------------------------------------------------- + +=== Allowing instead of protecting === + +If you're afraid you might forget to apply `attr_protected` to the right attributes before making your model available to the cruel world, you can also specify the protection in reverse. You simply allow access instead of deny it, so only the attributes named in `attr_accessible` are available for mass-assignment. + +Using `attr_accessible`, we can secure the User models like this: + +[source, ruby] +------------------------------------------------------- +class User < ActiveRecord::Base + attr_accessible :name, :password +end +------------------------------------------------------- + +This description has exactly the same affect as doing `attr_protected :approved, :role`, but when you add new attrbutes to the User model, they'll be protected by default. + diff --git a/railties/doc/guides/securing_rails_applications/cross_site_scripting.txt b/railties/doc/guides/securing_rails_applications/cross_site_scripting.txt new file mode 100644 index 0000000000..56b3940511 --- /dev/null +++ b/railties/doc/guides/securing_rails_applications/cross_site_scripting.txt @@ -0,0 +1,64 @@ +== Cross Site Scripting (CSS/XSS) == + +=== The problem === + +Many web applications use session cookies to track the requests of a user. The cookie is used to identify the request and connect it to the session data (the `session` method in Rails). Usually the session contains a reference to the user that is currently logged in, e.g. the id of a User object. + +Cross Site Scripting is a technique for ``stealing'' the cookie from another visitor of the website, and thus stealing the login. Cookies are only available from the domain where the were originally created. The easiest way to get access to the cookie is to place a specially crafted piece of JavaScript code on the website; the script can read the cookie of a visitor and send it to the attacker, e.g. by transmitting the data as an URL parameter to another website. +2.2 Example of an attack + +A site with the following Eruby template is vulnerable to XSS: + +------------------------------------ +<%= params[:text] %> +------------------------------------ + +The 'text' parameter is directly included in the page, so it is possible to insert JavaScript code by setting the parameter to something like + +[source, xhtml] +------------------------------------ +<script>alert(document.cookie)</script> +------------------------------------ + +After url-encoding the script (e.g. with `CGI.encode`) the attacker can put it into an URL and make his victim open the URL in the browser. + +If you open the URL + +------------------------------------ +http://website.domain/controller/action?text=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E +------------------------------------ + +you will get a popup window with your session cookie. Instead of opening the popup the script could as well send the session id to another server. + +=== How to protect your application === + +Obviously the key to a successful attack is the possibility to place JavaScript on a website that can receive the session cookie. This can be a blog with user comments, a web forum or a Wiki. How can you protect against it? Strictly convert HTML meta characters (`<` and `>`) to the equivalent HTML entities (`<` and `>`) in every string that is rendered in the website. This will ensure that, no matter what kind of text an attacker enters in a form or attaches to an URL, the browser will always render it as plain text and never interpret any HTML tags. This is a good idea anyway, as a user can easily mess up your layout by leaving tags open. If you want the user to be able to format his texts, it is usually better to use a markup language like Textile, Markdown or RDoc. + +Rails provides the helper method `h` for HTML meta character conversion in Views. + +Example: + +------------------------------------ +<%=h post.subject %> +<%=h post.text %> +------------------------------------ + +You should accustom to using `h` for any variable that is rendered in the view, even if you think you can trust it to be from a reliable source. + +=== XSS attacks using an echo service === + +The echo service is a service running on TCP port 7 that returns back everything you send to it. On Debian it is active by default. Now how can this be a security problem for a web application? + +If the server of the target website 'target.domain' is running an echo service, the attacker could create a form like the following on his own website: + +[source, xhtml] +------------------------------------ +<form action="http://target.domain:7/" method="post"> + <input type="hidden" name="code" value="some_javascript_code_here" /> + <input type="submit" /> +</form> +------------------------------------ + +If he makes someone who has a session cookie on the target website submit this form, the content of the hidden field is sent to the echo server at port 7 – and returned. If the browser decides to display the returned data as HTML (some versions of IE do), it will execute the JavaScript code; and because the domain is 'target.domain' the session cookie is available for the script. + +This is rather a client-side issue, but to reduce the probability of a successful attack you should deactivate any echo services on the web server. However this does not provide full security, because there are also some other services (e.g. FTP, POP3) that can be used instead of the echo server. diff --git a/railties/doc/guides/securing_rails_applications/securing_rails_applications.txt b/railties/doc/guides/securing_rails_applications/securing_rails_applications.txt new file mode 100644 index 0000000000..b2cebbd311 --- /dev/null +++ b/railties/doc/guides/securing_rails_applications/securing_rails_applications.txt @@ -0,0 +1,14 @@ +Securing Rails applications +=========================== + +This manual describes common security problems in web applications and how +to avoid them with Rails. If you have any questions or suggestions, please +mail me at ror(at)andreas-s.net. + + +include::sql_injection.txt[] + +include::cross_site_scripting.txt[] + +include::creating_records_directly_from_form_parameters.txt[] + diff --git a/railties/doc/guides/securing_rails_applications/sql_injection.txt b/railties/doc/guides/securing_rails_applications/sql_injection.txt new file mode 100644 index 0000000000..51a0520b39 --- /dev/null +++ b/railties/doc/guides/securing_rails_applications/sql_injection.txt @@ -0,0 +1,87 @@ +== SQL Injection == + +=== The problem === + +SQL injection is the #1 security problem in many web applications. How does it work? If the web application includes strings from unreliable sources (usually form parameters) in SQL statements and doesn't correctly quote any SQL meta characters like backslashes or single quotes, an attacker can change `WHERE` conditions in SQL statements, create records with invalid data or even execute arbitrary SQL statements. + +=== How to protect your application === + +If you only use the predefined ActiveRecord functions (attributes, save, find) without writing any conditions, limits or SQL queries yourself, ActiveRecord takes care of quoting any dangerous characters in the data for you. + +If you don't, you have to make sure that strings for arguments that are directly used to build SQL queries (like the condition, limit and sort arguments for `find :all`) do not contain any SQL meta characters. + +=== Using arbitrary strings in conditions and SQL statements === + +==== Wrong ==== + +Imagine a webmail system where a user can select a list of all the emails with a certain subject. A query could look like this: + +[source, ruby] +--------------------------------------------------------------------------- +Email.find(:all, "owner_id = 123 AND subject = '#{params[:subject]}'") +--------------------------------------------------------------------------- + +This is dangerous. Imagine a user sending the string `\' OR 1 \--` in the parameter 'subject'; the resulting statement will look like this: + +[source, ruby] +--------------------------------------------------------------------------- +Email.find(:all, "owner_id = 123 AND subject = '' OR 1 --'") +--------------------------------------------------------------------------- + +Because of ``OR 1'' the condition is always true. The part ``\--'' starts a SQL comment; everything after it will be ignored. The result: the user will get a list of all the emails in the database. + +(Of course the 'owner_id' would have to be inserted dynamically in a real application; this was omitted to keep the examples as simple as possible.) + +==== Correct ==== + +[source, ruby] +--------------------------------------------------------------------------- +Email.find(:all, ["owner_id = 123 AND subject = ?", params[:subject]]) +--------------------------------------------------------------------------- + +If the argument for find_all is an array instead of a string, ActiveRecord will insert the elements 2..n of the array for the `?` placeholders in the element 1, add quotation marks if the elements are strings, and quote all characters that have a special meaning for the database adapter used by the `Email` model. + +If you don't like the syntax of the array, you can take care of the quoting yourself by calling the `quote_value` method of the model class. You have to do this when you use `find_by_sql`, as the Array argument doesn't work there: + +[source, ruby] +--------------------------------------------------------------------------- +Email.find_by_sql("SELECT * FROM email WHERE owner_id = 123 AND subject = #{Email.quote_value(subject)}") +--------------------------------------------------------------------------- + +The quotation marks are added automatically by `Email.quote_value` if the argument is a string. + +=== Extracting queries into model methods === + +If you need to execute a query with the similar options in several places in your code, you should create a model method for that query. Instead of + +[source, ruby] +--------------------------------------------------------------------------- +emails = Email.find(:all, ["subject = ?", subject]) +--------------------------------------------------------------------------- + +you could define the following class method in the model: + +[source, ruby] +--------------------------------------------------------------------------- +class Email < ActiveRecord::Base + def self.find_with_subject(subject) + Email.find(:all, ["subject = ?", subject]) + end +end +--------------------------------------------------------------------------- + +and call it like this: + +[source, ruby] +--------------------------------------------------------------------------- +emails = Email.find_with_subject(subject) +--------------------------------------------------------------------------- + +This has the advantage that you don't have to care about meta characters when using the function `find_with_subject`. Generally you should always make sure that this kind of model method can not break anything, even if it is called with untrusted arguments. + +.ActiveRecord automatically generates finder methods +NOTE: The `find_with_subject` method given in the above example is actually redundant. +ActiveRecord automatically generates finder methods for columns. In this case, ActiveRecord +automatically generates the method `find_by_subject` (which works exactly like the `find_with_subject` +method given in the example). `find_with_subject` is only given here as an example. In general, +you should use ActiveRecord's auto-generated finder methods instead of writing your own. diff --git a/railties/doc/guides/testing_rails_applications/testing_rails_applications.txt b/railties/doc/guides/testing_rails_applications/testing_rails_applications.txt new file mode 100644 index 0000000000..a775ed2f09 --- /dev/null +++ b/railties/doc/guides/testing_rails_applications/testing_rails_applications.txt @@ -0,0 +1,1371 @@ +A Guide to Testing Rails Applications +===================================== + +This article is for fellow Rubyists looking for more information on test writing and how that fits into Ruby On Rails. If you're new to test writing or experienced with test writing, but not in Rails, hopefully you'll gain some practical tips and insight on successful testing. +Assumptions + +Just so we're all on the same page here, I'm making a few assumptions about you. + + * You've got Ruby installed and know how to run a Ruby script. + * You've got Rails installed + * You've created a basic Rails application with 1 controller and 1 model. + +If you haven't accomplished all of the above, you might be jumping ahead of yourself. Check out www.rubyonrails.org for some great beginner's tutorials. + +Make sure you have Ruby 1.8.6 or greater and Rails 2.0 or greater. + +Also, hats off to xal (and others) for creating this site. + + +== Testing 1-2-3... is this thing on? + +=== What are These Strange Creatures? + +I have to say that tests are such a straight-forward concept that it's actually harder to describe what they are than it is to show you how to do them. + +So what are tests? + +The Official Answer:: + Tests are collections of questions and scenarios that provide us (developers) with consistent results which prove that our application is doing what we expect it to do. + +The Unofficial Answer:: + We write tests to interrogate, taunt, bully, punish, and otherwise kick the crap out of our application code until it consistently gives us the correct answer. Think of it as ``tough love''. ;) + +Need some examples? + + * ensure user names have at least 4 characters + * ensure that when we save this record, the administrator is e-mailed + * ensure all replies are deleted when we delete the parent message + * ensure that Canadians have GST of 7% applied to their purchases + +The idea of tests is that you write them at the same time as you write your application. In essence, you're writing two application. As your application grows and becomes more complex, you create many tests. Re-running these tests at any point will help you discover if you've ``broke'' anything along the way. + +Some developers actually take this a step further and create the tests before they create the application. This is called Test Driven Development (TDD), and although I personally don't subscribe to it, it's a totally legit way of coding. + +There's volumes written about Test Driven Development and testing in general. For more information, talk to Mr. Google. + +=== So Why Test? + +As mentioned before, tests offer proof that you've done a good job. Your tests become your own personal QA assistant. If you code your tests correctly, at any point in development, you will know: + + * what processes work + * what processes fail + * the effect of adding new pieces onto your application + +With your tests as your safety net, you can do wild refactoring of your code and be able to tell what needs to be addressed simply by seeing which tests fail. + +In addition to normal "did it pass?" testing, you can go the opposite route. You can explicitly try to break your application such as feeding it unexpected and crazy input, shutting down critical resources like a database to see what happens, and tampering with things such as session values just to see what happens. By testing your application where the weak points are, you can fix it *before* it ever becomes an issue. + +A strong suite of tests ensures your application has a high level of quality. It's worth the extra effort. + +Another positive side-effect of writing tests is that you have basic usage documentation of how things work. Simply by looking at your testing code, you can see how you need to work with an object to make it do it's thing. + +But enough about theory. + + +== Introducing Test/Unit + +=== The Small Picture + +==== Hello World + +As we all know, Ruby ships with a boat load of great libraries. If you're like me, you've only used a quarter of them or so. One little gem of a library is 'test/unit'. It comes packaged with Ruby 1.8.1, so there's nothing to download. + +By using one line of code `require \'test/unit'`, you arm your Ruby script with the capability to write tests. + +Let's show you a really basic test, and then we'll step through it and explain some details. + +[source,ruby] +------------------------------------------------------ +# hello_test.rb + +require 'test/unit' + +class HelloTestCase < Test::Unit::TestCase + def test_hello + assert true + end +end +------------------------------------------------------ + +Quite possibly the simplest and least useful test ever invented, but it shows you the bare bones of writing a test case. That script can be run from the command line the same way your run any other Ruby script. + +Simply run `ruby hello_test.rb` and you will see the following: + +------------------------------------------------------ +Started +. +Finished in 0.0 seconds. + +1 tests, 1 assertions, 0 failures, 0 errors +------------------------------------------------------ + +Congratulations, your first test. + + +==== What Does It All Mean? + +By looking at the output of a test, you will be able to tell if the tests pass or not. In our example, not surprisingly, we've passed. The summary shows *1 test, 1 assertion, 0 failures, and 0 errors*. + +So, let's break our test source code down. + +First, line 1. + +[source,ruby] +------------------------------------------------------ +require 'test/unit' +------------------------------------------------------ + +You'll always have this when writing unit tests. It contains the classes and functionality to write and run unit tests. + +Next, we have a class `HelloTestCase` which derives from `Test::Unit::TestCase`. + +[source,ruby] +------------------------------------------------------ +class HelloTestCase < Test::Unit::TestCase +------------------------------------------------------ + +All of the tests that you create will directly subclass `Test::Unit::TestCase`. The TestCase provides the ``housing'' of where your tests will live. More on this in a bit. + +Finally, we have a method called `test_hello`. + +[source,ruby] +------------------------------------------------------ +def test_hello +------------------------------------------------------ + +All tests must follow this naming convention: *their names start with the first 4 characters test*, as in `test_hello`, `testme`, and `testarosa`. If you create a method that doesn't start with test, the testing framework won't recognize it as a test, hence, won't run it automatically, hence it is a normal Ruby method. + +Inside our `test_hello` method, we have an assertion. + +[source,ruby] +------------------------------------------------------ +assert true +------------------------------------------------------ + +Assertions are where the real work gets done. There are a whole army of different types of assertions that you'll use to make sure your code is doing the right thing. + + +=== The Big Picture + +Grab a cup of coffee and dunk your head in some ice water, because here's some more theory. + +There are 4 major players in the testing game. + +==== A: The Assertion + +An 'Assertion' is 1 line of code that evaluates an object (or expression) for expected results. + +For example, is this value = that value? is this object nil? does this line of code throw an exception? is the user's password greater than 5 characters? + +==== B: The Test ==== + +A 'Test' is method that contains assertions which represent a particular testing scenario. + +For example, we may have a test method called `test_valid_password`. In order for this test to pass, we might need to check a few things: + + * password is 4 or more characters + * password isn't the word ‘password' + * password isn't all spaces + +If all of these assertions are successful, the test will pass. + +==== C: The Test Case ==== +A 'Test Case' is a class inherited from `Test::Unit::TestCase` containing a testing ``strategy'' comprised of contextually related tests. + +For example, I may have a test case called UserTestCase which has a bunch of tests that check that: + + * the password is valid (`test_password`) + * the username doesn't have any forbidden words (`test_username_cussin`) + * a user is under the age of 150 (`test_shriveled_raisin`) + +==== D: The Test Suite ==== +A 'Test Suite' is a collection of test cases. When you run a test suite, it will, in turn, execute each test that belongs to it. + +For example, instead of running each test unit individually, you can run them all by creating a suite and including them. This is good for stuff like continuous-build integration. + +We won't get into test suites in this article. + + +==== The Hierarchy ==== + +The relationship of these objects to one-another looks like this: + + * a test suite + * has many test cases + * which have many tests + * which have many assertions + + +== Hello World on Steroids == + +=== The Victim === + +In the last episode, we learned that we write tests to prove our code works properly. Let's create a really simple class for us to test. + +[source,ruby] +-------------------------------------------------- +# secret_agent.rb +class SecretAgent + + # simple public properties + attr_accessor :username + attr_accessor :password + + # our "constructor" + def initialize(username,password) + @username = username + @password = password + end + + # the logic to determine if the password is + # good enough for the user to use + def is_password_secure? + return false if @password.nil? + return false if @password.empty? + return false if @password.size < 4 + return false if @password 'stirred' + return false if @password ‘password' + return false if @password == @username + true + end +end +-------------------------------------------------- + +Ok. So, we've got a class which represents a secret agent. What we're about to do is test a user to make sure that their password is secure enough to use in our top-secret database. + +The `is_password_secure?` method will answer that for us. If the user's password passes our stringent set of rules, then the function will return a true value and the secret agent granted access. + + +=== The Assault === + +Let's build upon the last test we wrote and add in a few more things, specifically, let's test out this brand new SecretAgent. + +[source,ruby] +----------------------------------------------- +require 'test/unit' +require 'secret_agent' + +class HelloTestCase < Test::Unit::TestCase + + def test_hello + assert true + end + + # our new test will exercise the new SecretAgent class + def test_these_passwords + # first, let's try a few passwords that should fail + assert !SecretAgent.new("bond","abc").is_password_secure? + assert !SecretAgent.new("bond","007").is_password_secure? + assert !SecretAgent.new("bond","stirred").is_password_secure? + assert !SecretAgent.new("bond","password").is_password_secure? + assert !SecretAgent.new("bond","bond").is_password_secure? + assert !SecretAgent.new("bond","").is_password_secure? + assert !SecretAgent.new("bond",nil).is_password_secure? + + # now, let's try passwords that should succeed + assert SecretAgent.new("bond","goldfinger").is_password_secure? + assert SecretAgent.new("bond","1234").is_password_secure? + assert SecretAgent.new("bond","shaken").is_password_secure? + end +end +----------------------------------------------- + +In this example, we've expanded our test case by adding another test called `test_these_passwords` with 10 assertions. Let's run it, cross our fingers, and hope it passes. + +----------------------------------------------- +Started +.. +Finished in 0.01 seconds. + +2 tests, 11 assertions, 0 failures, 0 errors +----------------------------------------------- + +Sweet! It passed! + +A couple of new things to notice about the results. See the line right underneath the word Started? Notice it has 2 dots instead of only 1 before? Each . represents a test. You can have 1 of 3 values where the dots are. + + * *.* means successful test (pass) + * *F* means failed test + * *E* means an error has occurred + +=== Failure, Error and General Discomfort === + +Let's add another in 2 more tests. This time, we'll make one of them fail and the other throw an error. Yes, on purpose. Yes, I'm a trained professional. + +[source,ruby] +--------------------------------------------------------------- +... +# this will result in a failure because the assertion fails... plus everyone +# knows batman really exists +def test_bam_zap_sock_pow + batman = nil + assert_not_nil batman +end + +# this will result in an error because it contains an undefined symbol +def test_uh_oh_hotdog + assert_not_nil does_this_var_speak_korean +end +... +--------------------------------------------------------------- + +Ok... Let's run this puppy. + +--------------------------------------------------------------- +Started +F..E +Finished in 0.07 seconds. + +1) Failure: +test_bam_zap_sock_pow(HelloTestCase) [/example/test.rb:62]: +<nil> expected to not be nil. + +2) Error: +test_uh_oh_hotdog(HelloTestCase): +NameError: undefined local variable or method 'does_this_var_speak_korean' for +#<HelloTestCase:0x28c59a0> /example/test.rb:68:in 'test_uh_oh_hotdog' + +4 tests, 12 assertions, 1 failures, 1 errors +--------------------------------------------------------------- + +Wow. Nasty. + +Take a look at the 2nd line. This time we have 'F..E' which means failure, pass, pass, error. In the details underneath the total elapsed time, you see what exactly went wrong and where. + +The incredibly observant will notice that even though the two new methods were added as the 3rd and 4th tests, they showed up in the results as 1st and 4th. That's because the tests are sorted alphabetically. + +So, that's what errors and failures look like. The difference is, a failure represents an assertion attempt that gave us the wrong results whereas an error is a Ruby problem. + + +=== This Side Up ^ === + +Another thing about assertions. They're fragile. If the test finds an assertion that fails, it will stop execution of that method and move on to the next test. + +If I had a test with 4 assertions, of which numbers 2, 3, and 4 were all going to fail, you'd only see #2 as the cause of the failed test. If you were to correct that failure, then rerun the test, it would be #3 thats causes grief. + +Got it? Good, there will be a pop quiz on Monday. + + +== The Test Case Life Cycle == + +=== 4.1 A Quick Recap === + +You already saw a simple test case in action. It looked something like this: + +[source,ruby] +--------------------------------------------------------- +require 'test/unit' + +class MyTestCase < Test::Unit::TestCase + + def test_1 + assert true + end + + def test_2 + end + + def test_3 + end + +end +--------------------------------------------------------- + +You saw that: + + * we need to use `require ‘test/unit'` + * we need to inherit from `Test::Unit::TestCase` + * we need to define methods that start with `test` + * we need assertions to prove our code works + +Next, we're going to look at the flow of how test cases are run. + + +=== The Flow === + +When a test case is run, the testing framework creates a ‘fresh' object before running each test. That allows the test to not have to worry about what state the other test methods leave the object in. So for the above example, the testing flow looks like this when run: + + * an object of class `MyTestCase` is created + * method `test_1` is run + * the test case object is destroyed + +then... + + * a brand new object of class `MyTestCase` is created + * method `test_2` is run + * the test case object is destroyed + +then... + + * one last object of class `MyTestCase` is created + * method `test_3` is run + * the test case object is destroyed + + +=== Setup and Teardown Exposed === + +Now, there are 2 special methods that you can use to hook into this process. One is called setup and the other is called teardown. + +Let's rewrite our test. + +[source,ruby] +------------------------------------------ +require 'test/unit' + +class MyTestCase < Test::Unit::TestCase + + # called before every single test + def setup + @name = 'jimmy' + @age = 150 + end + + # called after every single test + def teardown + end + + # our tests + def test_1 + assert true + end + + def test_2 + end + + def test_3 + end +end +------------------------------------------ + +The `setup` method will always be called just before the test method. Comparatively, the `teardown` method will always be called always be called just after the test method. So now, the flow looks like this: + + * an object of class `MyTestCase` is created + * method `setup` is run + * method `test_1` is run + * method `teardown` is run + * the test case object is destroyed + +then... + + * a brand new object of class `MyTestCase` is created + * method `setup` is run + * method `test_2` is run + * method `teardown` is run + * the test case object is destroyed + +then... + + * one last object of class `MyTestCase` is created + * method `setup` is run + * method `test_3` is run + * method `teardown` is run + * the test case object is destroyed + +What can you do with this? Well, the `setup` method is good for stuff like creating objects that each method uses. For example, maybe we need to create a user and populate her with sample data before running each of the tests? + +As you'll see later, Rails uses the `setup` and `teardown` methods extensively. + + +== Hey Test/Unit. Assert This! == + +=== The Assertion Lineup === + +By now you've caught a glimpse of some of the assertions that are available. Assertions are the worker bees of testing. They are the ones that actually perform the checks to ensure things are going as planned. + +There are a bunch of different types of assertions you can use. Here's the complete list of assertions that ship with test/unit. The [msg] is an optional string message you can specify to make your test failure messages clearer. It's not required. + +`assert( boolean, [msg] )`:: + Ensures that the object/expression is true. + +`assert_equal( obj1, obj2, [msg] )`:: + Ensures that `obj1 == obj2` is true. + +`assert_not_equal( obj1, obj2, [msg] )`:: + Ensures that `obj1 == obj2` is false. + +`assert_same( obj1, obj2, [msg] )`:: + Ensures that `obj1.equal?(obj2)` is true. + +`assert_not_same( obj1, obj2, [msg] )`:: + Ensures that `obj1.equal?(obj2)` is false. + +`assert_nil( obj, [msg] )`:: + Ensures that `obj.nil?` is true. + +`assert_not_nil( obj, [msg] )`:: + Ensures that `obj.nil?` is false. + +`assert_match( regexp, string, [msg] )`:: + Ensures that a string matches the regular expression. + +`assert_no_match( regexp, string, [msg] )`:: + Ensures that a string doesn't matches the regular expression. + +`assert_in_delta( expecting, actual, delta, [msg] )`:: + Ensures that the numbers `expecting` and `actual` are within `delta` of each other. + +`assert_throws( symbol, [msg] ) { block }`:: + Ensures that the given block throws the symbol. + +`assert_raises( exception1, exception2, ... ) { block }`:: + Ensures that the given block raises one of the given exceptions. + +`assert_nothing_raised( exception1, exception2, ... ) { block }`:: + Ensures that the given block doesn't raise one of the given exceptions. + +`assert_instance_of( class, obj, [msg] )`:: + Ensures that `obj` is of the `class` type. + +`assert_kind_of( class, obj, [msg] )`:: + Ensures that `obj` is or descends from `class`. + +`assert_respond_to( obj, symbol, [msg] )`:: + Ensures that obj has a method called symbol. + +`assert_operator( obj1, operator, obj2, [msg] )`:: + Ensures that `obj1.operator(obj2)` is true. + +`assert_send( array, [msg] )`:: + Ensures that executing the method listed in `array[1]` on the object in `array[0]` with the parameters of `array[2 and up]` is true. This one is weird eh? + +`flunk( [msg] )`:: + Ensures failure... like me and high school chemistry exams. + +Because of the modular nature of the testing framework, it is possible to create your own assertions. In fact, that's exactly what Rails does. It has some specialized assertions to make your life easier. + +Creating your own assertions is more of an advanced topic we won't cover in this tutorial. + + +== The Rails Fly-By == + +=== It's About Frikkin' Time === + +Finally we get to testing in with Ruby on Rails! By this point, I'm going to assume a few things. + + * you're familiar with the basic building blocks of 'test/unit' + * you know that there are a bunch of assertions you can use + * you know what the special methods `setup` and `teardown` are + * you're conscious + +Rails promotes testing. The Ruby on Rails framework itself was built using these testing methodologies. + +In fact, the features built-in to Rails makes it exceptionally easy to do testing. For every model and controller you create using the `script/generate model` and `script/generate controller` scripts, corresponding test stubs are created. + +=== Where They Live === + +Your tests, quite surprisingly, go in your 'test' directory under your rails application. In the test directory, you'll see 4 sub-directories; one for controller tests ('functional'), one for model tests ('unit'), one for mock objects ('mocks') and one that only holds sample data ('fixtures'). + + * test + - /unit + - /functional + - /fixtures + - /mocks + +=== How to Turn Them On === + +To run these tests, you simply run the test script directly: + +--------------------------------------------- +ruby test/unit/my_good_old_test_unit.rb +--------------------------------------------- + +Another way to run your tests is to have the main rakefile run it for you. `rake test_functional` will run all your controller tests and `rake test_units` will run all your model tests. + +=== The 3 Environments === + +Testing support was woven into the Rails fabric from the beginning. It wasn't a ``oh! let's bolt on support for running tests because they're new and cool'' epiphany. + +Each Rails application you build has 3 sides. A side for production, a side for development and a side for testing. + +Let's take a closer look at the Rails 'config/database.yml' file. This YAML configuration file has 3 different sections defining 3 unique database setups: + + * production + * development + * test + +Why 3 different databases? Well, there's one for testing where you can use sample data, there's one for development where you'll be most of the time as you develop your application, and then production for the ``real deal'', or when it goes live. + +Every new Rails application should have these 3 sections filled out. They should point to different databases. You may end up not having a local database for your production environment, but development and test should both exist and be different. + +=== Why Make This Distinction? === + +If you stop and think about it for a second, it makes sense. + +By segregating your development database and your testing database, you're not in any danger of losing any data where it matters. + +For example, you need to test your new `delete_this_user_and_every_everything_associated_with_it` function. Wouldn't you want to run this in an environment which makes no difference if you destroy data or not? + +When you do end up destroying your testing database (and it will happen, trust me), simply run a task in your rakefile to rebuild it from scratch according to the specs defined in the development database. You can do this by running `rake db:test:prepare`. + + +== The Lo-Down on Fixtures == + +=== What They Are === + +The structure is one thing, but what about when I want to automatically create sample data? + +Enter fixtures. Fixtures is a fancy word for ‘sample data'. Fixtures allow you to populate your testing database with predefined data before your tests run. Fixtures are database independent and assume one of two formats: *YAML* or *CSV*. + +You'll find fixtures under your 'test/fixtures' directory. When you run `script/generate model` to create a new model, fixture stubs will be automatically created and placed in this directory. + +=== YAML the Camel is a Mammal with Enamel === + +YAML-formatted fixtures are a very human-friendly way to describe your sample data. These types of fixtures have the *.yml* file extension (as in 'users.yml'). + +On any given Sunday, a YAML fixture file may look like this: + +--------------------------------------------- +# low & behold! I am a YAML comment! +david: + id: 1 + name: David Heinemeier Hansson + birthday: 1979-10-15 + profession: Systems development + +steve: + id: 2 + name: Steve Ross Kellock + birthday: 1974-09-27 + profession: guy with keyboard +--------------------------------------------- + +Each fixture is given a 'name' followed by an indented list of colon-separated key/value pairs. Records are separated by a blank space. You can place comments by using the # character in the first column. + +=== Comma Seperated === + +Fixtures can also be described using the all-too-familiar comma-separated value file format. These files, just like YAML fixtures are placed in the 'test/fixtures directory', but these end with the *.csv* file extension (as in 'celebrity_holiday_figures.csv'). + +A CSV fixture looks like this: + +-------------------------------------------------------------- +id, username, password, stretchable, comments +1, sclaus, ihatekids, false, I like to say ""Ho! Ho! Ho!"" +2, ebunny, ihateeggs, true, Hoppity hop y'all +3, tfairy, ilovecavities, true, "Pull your teeth, I will" +-------------------------------------------------------------- + +The first line is the header. It is a comma-separated list of fields. The rest of the file is the payload: 1 record per line. A few notes about this format: + + * each cell is stripped of outward facing spaces + * if you use a comma as data, the cell must be encased in quotes + * if you use a quote as data, you must escape it with a 2nd quote + * don't use blank lines + * nulls can be achived by just placing a comma, for example, (1,sclaus,,false,) minus the parenthesis of course. + +Unlike the YAML format where you give each fixture a name, CSV fixture names are automatically generated. They follow a pattern of ``model-name''-''counter''. In the above example, you would have: + +-------------------------------------------------------------- +celebrity-holiday-figures-1 +celebrity-holiday-figures-2 +celebrity-holiday-figures-3 +-------------------------------------------------------------- + +The CSV format is great to use if you have existing data in a spreadsheet or database and you are able to save it (or export it) as a CSV. + +=== ERb'in It Up === + +ERb allows you embed ruby code within templates. Both the YAML and CSV fixture formats are pre-processed with ERb. This allows you to use Ruby to help you generate some sample data. + +I'll demonstrate with a YAML file: + +-------------------------------------------------------------- +<% earth_size = 20 -%> +mercury: + id: 1 + size: <%= earth_size / 50 %> + +venus: + id: 2 + size: <%= earth_size / 2 %> + +mars: + id: 3 + size: <%= earth_size - 69 %> +-------------------------------------------------------------- + +Anything encased within the + +------------- +<% -%> +------------- + +tag is considered Ruby code. To actually print something out, you must use the + +------------- +<%= %> +------------- + +tag. + +=== Fixtures in Action === + +Rails makes no assumptions when it comes to fixtures. You must explicitly load them yourself by using the fixtures method within your TestCase. For example, a users model unit test might look like this: + +[source, ruby] +-------------------------------------------------------------- +# Allow this test to hook into the Rails framework. +require File.dirname(__FILE__) + '/../test_helper' + +class UserTest < Test::Unit::TestCase + fixtures :users + + # Count the fixtures. + def test_count_my_fixtures + assert_equal 5, User.count + end +end +-------------------------------------------------------------- + +Using the fixtures method and placing the symbol name of the model, Rails will automatically load up the fixtures for you at the start of each test method. + +[source, ruby] +-------------------------------------------------------------- +fixtures :users +-------------------------------------------------------------- + +What exactly does this line of code do? It does 3 things: + + * it nukes any existing data living in the users table +* it loads the fixture data (if any) into the users table + * it dumps the data into a variable in case you want to access it directly + +So, in the above example, if we had another test method, we wouldn't have 10 users on the 2nd test because they would be wiped out before being created. + +You can load multiple fixtures by including them on the same line separated by commas. + +[source, ruby] +-------------------------------------------------------------- +fixtures :users, :losers, :bruisers, :cruisers +-------------------------------------------------------------- + +=== Hashes with Special Powers === + +Fixtures are basically Hash objects. As mentioned in point #3 above, you can access the hash object directly because it is automatically setup as a local variable of the test case. + +[source, ruby] +-------------------------------------------------------------- +... + fixtures :users + + def test_user + # this will return the Hash for the fixture named david + users(:david) + + # this will return the property for david called id + users(:david).id + end +... +-------------------------------------------------------------- + +But, by there's another side to fixtures... at night, if the moon is full and the wind completely still, fixtures can also transform themselves into the form of the original class! + +Now you can get at the methods only available to that class. + +[source, ruby] +-------------------------------------------------------------- +... + fixtures :users + + def test_user + # using the find method, we grab the "real" david as a User + david = users(:david).find + + # an now we have access to methods only available to a User class + email( david.girlfriend.email, david.illegitimate_children ) + end +... +-------------------------------------------------------------- + + +== Testing Your Models == + +=== A Unit Test === + +Unit tests are what we use to test our models. Generally, there is one test for each model. The test stubs are created automatically when you use `script/generate model SecretAgent` (for example). + +Let's take a look at what a unit test might look like. + +[source, ruby] +------------------------------------------------------- +# hook into the Rails environment +require File.dirname(__FILE__) + '/../test_helper' + +class SecretAgent < ActiveSupport::TestCase + fixtures :secret_agents + + # ensure the SecretAgent plays well with the database + def test_create_read_update_delete + # create a brand new secret agent + jimmy = SecretAgent.new("jagent", "unbelievablysecretpassword") + + # save him + assert jimmy.save + + # read him back + agent = SecretAgent.find(jimmy.id) + + # compare the usernames + assert_equal jimmy.username, agent.username + + # change the password by using hi-tech encryption + agent.username = agent.username.reverse + + # save the changes + assert agent.save + + # the agent gets killed + assert agent.destroy + end +end +------------------------------------------------------- + +In this basic unit test, we're exercising the 'SecretAgent' model. In our solitary test, we're proving a bunch of things about our 'SecretAgent' model. We try 4 different assertions to test that we can do the basics with the database such as create, read, update and delete (creatively known as CRUD). + +It is up to you to decide just how much you want to test of your model. Ideally you test anything that could possibly break, however, it is really trial and error. Only you know what's best to test. + +You most certainly want to test the validation code, and additionally, you probably want a least 1 test for every method in your model. + + +== Testing Your Controllers == + +=== What Is It? === + +The goal of functional testing is to test your controllers. When you get into the realm of testing controllers, we're operating at a higher level than the model. At this level, we test for things such as: + + * was the web request successful? + * were we redirected to the right page? + * were we successfully authenticated? + * was the correct object stored in the response template? + +Just as there is a one-to-one ratio between unit tests and models, so there is between functional tests and controllers. For a controller named `HomeController`, you would have a test case named `HomeControllerTest`. + +=== An Anatomy Lesson === + +So let's take a look at an example of a functional test. + +[source, ruby] +---------------------------------------------------- +require File.dirname(__FILE__) + '/../test_helper' + +class HomeControllerTest < ActionController::TestCase + # let's test our main index page + def test_index + get :index + assert_response :success + end +end +---------------------------------------------------- + +==== Making the moves ==== + +In the one test we have called `test_index`, we are simulating a request on the action called index and making sure the request was successful. + +The `get` method kicks off the web request and populates the results into the response. It accepts 4 arguments. + + * The action of the controller you are requesting. It can be in the form of a string or a symbol. Cool people use symbols. ;) + * An optional hash of request parameters to pass into the action (eg. query string parameters or post variables). + * An optional hash of session variables to pass along with the request. + * An optional hash of flash to stash your goulash. + +*Example:* Calling the `:show` action, passing an `id` of 12 as the params and setting `user_id` of 5 in the session. + +[source, ruby] +---------------------------------------------------- +get(:show, {'id' => "12"}, {'user_id' => 5}) +---------------------------------------------------- + +*Another example:* Calling the `:view` action, passing an `id` of 12 as the params, this time with no session, but with a flash message. + +[source, ruby] +---------------------------------------------------- +get(:view, {'id' => '12'}, nil, {'message' => 'booya!'}) +---------------------------------------------------- + +==== Available at your disposal ==== + +For those of you familiar with HTTP protocol, you'll know that get is a type of request. There are 5 request types supported in Rails: + + * get + * post + * put + * head + * delete + +All of request types are methods that you can use, however, you'll probably end up using the first two more ofter than the others. + +=== The 4 Hashes of the Apocolypse === + +After the request has been made by using one of the 5 methods (get, post, etc...), you will have 4 Hash objects ready for use. + +They are (starring in alphabetical order): + +`assigns`:: + Any objects that are stored as instance variables in actions for use in views. +`cookies`:: + Any objects cookies that are set. +`flash`:: + Any objects living in the flash. +`session`:: + Any object living in session variables. + +For example, let's say we have a `MoviesController` with an action called `movie`. The code for that action might look something like: + +[source, ruby] +---------------------------------------------------- +def movie + @movie = Movie.find(params[:id]) + if @movie.nil? + flash['message'] = "That movie has been burned." + redirect_to :controller => 'error', :action => 'missing' + end +end +---------------------------------------------------- + +Now, to test out if the proper movie is being set, we could have a series of tests that look like this: + +[source, ruby] +---------------------------------------------------- +# this test proves that fetching a movie works +def test_successfully_finding_a_movie + get :movie, "id" => "1" + assert_not_nil assigns["movie"] + assert_equal 1, assigns["movie"].id + assert flash.empty? +end + +# and when we can't find a movie... +def test_movie_not_found + get :movie, "id" => "666999" + assert_nil assigns["movie"] + assert flash.has_key?("message") + assert assigns.empty? +end +---------------------------------------------------- + +As is the case with normal Hash objects, you can access the values by referencing the keys by string. You can also reference them by symbol name... except assigns. Check it out: + +[source, ruby] +---------------------------------------------------- +flash["gordon"] flash[:gordon] +session["shmession"] session[:shmession] +cookies["are_good_for_u"] cookies[:are_good_for_u] + +# Because you can't use assigns[:something] for historical reasons: +assigns["something"] assigns(:something) +---------------------------------------------------- + +Keep an eye out for that. mmmm kay? + +=== Response-Related Assertions === + +There are 3 assertions that deal with the overall response to a request. They are: + +`assert_template( expected_template, [msg] )`:: +Ensures the expected template was responsible for rendering. For example: ++ +[source, ruby] +-------------------------------------- +assert_template "user/profile" +-------------------------------------- ++ +This code will fail unless the template located at app/views/user/profile.rhtml was rendered. + +`assert_response( type_or_code, [msg] )`:: +Ensures the response type/status code is as expected. For example: ++ +[source, ruby] +-------------------------------------- +assert_response :success # page rendered ok +assert_response :redirect # we've been redirected +assert_response :missing # not found +assert_response 505 # status code was 505 +-------------------------------------- ++ +The possible options are: ++ + * `:success` (status code is 200) + * `:redirect` (status code is within 300..399) + * `:missing` (status code is 404) + * `:error` (status code is within 500..599) + * any number (to specifically reference a particular status code) + +`assert_redirected_to ( options={}, [msg] )`:: +Ensures we've been redirected to a specific place within our application. ++ +[source, ruby] +-------------------------- +assert_redirected_to :controller => 'widget', :action => 'view', :id => 555 +-------------------------- + +=== Tag-Related Assertions === + +The assert_tag and assert_no_tag assertions are for analysing the html returned from a request. + +==== assert_tag( options ) ==== +Ensures that a tag or text exists. There are a whole whack o' options you can use to discover what you are looking for. Some of the conditions are like XPATH in concept, but this is sexier. In fact, let's call it SEXPATH. + +The following description is lifted verbatim from the rails assertion docs. + +Asserts that there is a tag/node/element in the body of the response that meets all of the given conditions. The conditions parameter must be a hash of any of the following keys (all are optional): + + * `:tag` : the node type must match the corresponding value + * `:attributes` : a hash. The node's attributes must match the corresponding values in the hash. + * `:parent` : a hash. The node's parent must match the corresponding hash. + * `:child` : a hash. At least one of the node's immediate children must meet the criteria described by the hash. + * `:ancestor` : a hash. At least one of the node's ancestors must meet the criteria described by the hash. + * `:descendant` : a hash. At least one of the node's descendants must meet the criteria described by the hash. + * `:children` : a hash, for counting children of a node. Accepts the keys: + - `:count` : either a number or a range which must equal (or include) the number of children that match. + - `:less_than` : the number of matching children must be less than this number. + - `:greater_than` : the number of matching children must be greater than this number. + - `:only` : another hash consisting of the keys to use to match on the children, and only matching children will be counted. + - `:content` : (text nodes only). The content of the node must match the given value. + +Conditions are matched using the following algorithm: + + * if the condition is a *string*, it must be a substring of the value. + * if the condition is a *regexp*, it must match the value. + * if the condition is a *number*, the value must match `number.to_s`. + * if the condition is *true*, the value must not be `nil`. + * if the condition is *false* or *nil*, the value must be `nil`. + +These examples are taken from the same docs too: + +[source, ruby] +------------------------------------------------------------- + # assert that there is a "span" tag + assert_tag :tag => "span" + + # assert that there is a "span" inside of a "div" + assert_tag :tag => "span", :parent => { :tag => "div" } + + # assert that there is a "span" somewhere inside a table + assert_tag :tag => "span", :ancestor => { :tag => "table" } + + # assert that there is a "span" with at least one "em" child + assert_tag :tag => "span", :child => { :tag => "em" } + + # assert that there is a "span" containing a (possibly nested) + # "strong" tag. + assert_tag :tag => "span", :descendant => { :tag => "strong" } + + # assert that there is a "span" containing between 2 and 4 "em" tags + # as immediate children + assert_tag :tag => "span", + :children => { :count => 2..4, :only => { :tag => "em" } } + + # get funky: assert that there is a "div", with an "ul" ancestor + # and an "li" parent (with "class" = "enum"), and containing a + # "span" descendant that contains text matching /hello world/ + assert_tag :tag => "div", + :ancestor => { :tag => "ul" }, + :parent => { :tag => "li", + :attributes => { :class => "enum" } }, + :descendant => { :tag => "span", + :child => /hello world/ } +------------------------------------------------------------- + +==== assert_no_tag( options ) ==== +This is the exact opposite of assert_tag. It ensures that the tag does not exist. + +=== Routing-Related Assertions === + +==== assert_generates( expected_path, options, defaults={}, extras = {}, [msg] ) ==== +Ensures that the options map to the expected_path. + +[source, ruby] +------------------------------------------------------------- +opts = {:controller => "movies", :action => "movie", :id => "69"} +assert_generates "movies/movie/69", opts +------------------------------------------------------------- + +==== assert_recognizes( expected_options, path, extras={}, [msg] ) ==== +Ensures that when the path is chopped up into pieces, it is equal to expected_options. Essentially, the opposite of assert_generates. + +[source, ruby] +------------------------------------------------------------- +opts = {:controller => "movies", :action => "movie", :id => "69"} +assert_recognizes opts, "/movies/movie/69 + +# also, let's say i had a line in my config/routes.rb +# that looked like: +# +# map.connect ( +# 'calendar/:year/:month', +# :controller => 'content', +# :action => 'calendar', +# :year => nil, +# :month => nil, +# :requirements => {:year => /\d{4}/, :month => /\d{1,2}/} +# } +# +# Then, this would work too: +opts = { + :controller => 'content', + :action => 'calendar', + :year => '2005', + :month => '5' +} +assert_recognizes opts, 'calendar/2005/5' +------------------------------------------------------------- + +==== assert_routing( path, options, defaults={}, extras={}, [msg] ) ==== +Ensures that the path resolves into options, and the options, resolves into path. It's a two-way check to make sure your routing maps work as expected. + +This assertion is simply a wrapper around `assert_generates` and `assert_recognizes`. + +If you're going to test your routes, this assertion might be your best bet for robustness (yes, the overused buzzword of the 90's). + +[source, ruby] +------------------------------------------------------------- +opts = {:controller => "movies", :action => "movie", :id => "69"} +assert_routing "movies/movie/69", opts +------------------------------------------------------------- + +=== Testing File Uploads === +So your web app supports file uploads eh? Here's what you can do to test your uploads. + +This tip is brought to you by Chris Brinker, the letter R and the number 12. + +Chris says, '``In order to test a file being uploaded you have to mirror what cgi.rb is doing with a multipart post. Unfortunately what it does is quite long and complex, this code takes a file on your system, and turns it into what normally comes out of cgi.rb.''' + +Here are some helper methods based on Chris' work that you'll need to squirrel away either in a new unit, or cut ‘n' pasted right into your test. Any errors with this are my fault. + +[source, ruby] +------------------------------------------------------------- +# get us an object that represents an uploaded file +def uploaded_file(path, content_type="application/octet-stream", filename=nil) + filename ||= File.basename(path) + t = Tempfile.new(filename) + FileUtils.copy_file(path, t.path) + (class << t; self; end;).class_eval do + alias local_path path + define_method(:original_filename) { filename } + define_method(:content_type) { content_type } + end + return t +end + +# a JPEG helper +def uploaded_jpeg(path, filename=nil) + uploaded_file(path, 'image/jpeg', filename) +end + +# a GIF helper +def uploaded_gif(path, filename=nil) + uploaded_file(path, 'image/gif', filename) +end +------------------------------------------------------------- + +And to use this code, you'd have a test that would looks something like this: + +[source, ruby] +------------------------------------------------------------- +def test_a_file_upload + assert_equal 0, GalleryImage.count + heman = uploaded_jpeg("#{File.expand_path(RAILS_ROOT)}/text/fixtures/heman.jpg") + post :imageupload, 'imagefile' => heman + assert_redirected_to :controller => 'gallery', :action => 'view' + assert_equal 1, GalleryImage.count +end +------------------------------------------------------------- + + +== Testing Your Mailers == + +=== Keeping the postman in check === + +Your ActionMailer -- like every other part of your Rails application -- should be tested to ensure that it is working as expected. + +The goal of testing your ActionMailer is to ensure that: + + * emails are being processed (created and sent) + * the email content is correct (subject, sender, body, etc) + * the right emails are being sent at the righ times + +==== From all sides ==== + +There are two aspects of testing your mailer, the unit tests and the functional tests. +Unit tests + +In the unit tests, we run the mailer in isolation with tightly controlled inputs and compare the output to a known-value -- a fixture -- yay! more fixtures! + +==== Functional tests ==== + +In the functional tests we don't so much test the minute details produced by the mailer, instead we test that our controllers and models are using the mailer in the right way. We test to prove that the right email was sent at the right time. + +=== Unit Testing === + +In order to test that your mailer is working as expected, we can use unit tests to compare the actual results of the mailer with pre-writen examples of what should be produced. + +==== Revenge of the fixtures ==== + +For the purposes of unit testing a mailer, fixtures are used to provide an example of how output ``should'' look. Because these are example emails, and not Active Record data like the other fixtures, they are kept in their own subdirectory from the other fixtures. Don't tease them about it though, they hate that. + +When you generated your mailer (you did that right?) the generator created stub fixtures for each of the mailers actions. If you didn't use the generator you'll have to make those files yourself. + +==== The basic test case ==== + +Here is an example of what you start with. + +[source, ruby] +------------------------------------------------- +require File.dirname(__FILE__) + '/. ./test_helper' + +class MyMailerTest < Test::Unit::TestCase + FIXTURES_PATH = File.dirname(__FILE__) + '/. ./fixtures' + + def setup + ActionMailer::Base.delivery_method = :test + ActionMailer::Base.perform_deliveries = true + ActionMailer::Base.deliveries = [] + + @expected = TMail::Mail.new + end + + def test_signup + @expected.subject = 'MyMailer#signup' + @expected.body = read_fixture('signup') + @expected.date = Time.now + + assert_equal @expected.encoded, MyMailer.create_signup(@expected.date).encoded + end + + private + def read_fixture(action) + IO.readlines("#{FIXTURES_PATH}/my_mailer/#{action}") + end +end +------------------------------------------------- + +The `setup` method is mostly concerned with setting up a blank slate for the next test. However it is worth describing what each statement does + +[source, ruby] +------------------------------------------------- +ActionMailer::Base.delivery_method = :test +------------------------------------------------- + +sets the delivery method to test mode so that email will not actually be delivered (useful to avoid spamming your users while testing) but instead it will be appended to an array (ActionMailer::Base.deliveries). + +[source, ruby] +------------------------------------------------- +ActionMailer::Base.perform_deliveries = true +------------------------------------------------- + +Ensures the mail will be sent using the method specified by ActionMailer::Base.delivery_method, and finally + +[source, ruby] +------------------------------------------------- +ActionMailer::Base.deliveries = [] +------------------------------------------------- + +sets the array of sent messages to an empty array so we can be sure that anything we find there was sent as part of our current test. + +However often in unit tests, mails will not actually be sent, simply constructed, as in the example above, where the precise content of the email is checked against what it should be. Dave Thomas suggests an alternative approach, which is just to check the part of the email that is likely to break, i.e. the dynamic content. The following example assumes we have some kind of user table, and we might want to mail those users new passwords: + +[source, ruby] +------------------------------------------------- +require File.dirname(__FILE__) + '/../test_helper' +require 'my_mailer' + +class MyMailerTest < Test::Unit::TestCase + fixtures :users + FIXTURES_PATH = File.dirname(__FILE__) + '/../fixtures' + CHARSET = "utf-8" + + include ActionMailer::Quoting + + def setup + ActionMailer::Base.delivery_method = :test + ActionMailer::Base.perform_deliveries = true + ActionMailer::Base.deliveries = [] + + @expected = TMail::Mail.new + @expected.set_content_type "text", "plain", { "charset" => CHARSET } + end + + def test_reset_password + user = User.find(:first) + newpass = 'newpass' + response = MyMailer.create_reset_password(user,newpass) + assert_equal 'Your New Password', response.subject + assert_match /Dear #{user.full_name},/, response.body + assert_match /New Password: #{newpass}/, response.body + assert_equal user.email, response.to[0] + end + + private + def read_fixture(action) + IO.readlines("#{FIXTURES_PATH}/community_mailer/#{action}") + end + + def encode(subject) + quoted_printable(subject, CHARSET) + end +end +------------------------------------------------- + +and here we check the dynamic parts of the mail, specifically that we use the users' correct full name and that we give them the correct password. + +=== Functional Testing === + +Functional testing involves more than just checking that the email body, recipients and so forth are correct. In functional mail tests we call the mail deliver methods and check that the appropriate emails have been appended to the delivery list. It is fairly safe to assume that the deliver methods themselves do their job -- what we are probably more interested in is whether our own business logic is sending emails when we expect them to. For example the password reset operation we used an example in the previous section will probably be called in response to a user requesting a password reset through some sort of controller. + +[source, ruby] +---------------------------------------------------------------- +require File.dirname(__FILE__) + '/../test_helper' +require 'my_controller' + +# Raise errors beyond the default web-based presentation +class MyController; def rescue_action(e) raise e end; end + +class MyControllerTest < Test::Unit::TestCase + + def setup + @controller = MyController.new + @request, @response = ActionController::TestRequest.new, ActionController::TestResponse.new + end + + def test_reset_password + num_deliveries = ActionMailer::Base.deliveries.size + post :reset_password, :email => 'bob@test.com' + + assert_equal num_deliveries+1, ActionMailer::Base.deliveries.size + end + +end +---------------------------------------------------------------- + +=== Filtering emails in development === + +Sometimes you want to be somewhere inbetween the `:test` and `:smtp` settings. Say you're working on your development site, and you have a few testers working with you. The site isn't in production yet, but you'd like the testers to be able to receive emails from the site, but no one else. Here's a handy way to handle that situation, add this to your 'environment.rb' or 'development.rb' file + +[source, ruby] +---------------------------------------------------------------- +class ActionMailer::Base + + def perform_delivery_fixed_email(mail) + destinations = mail.destinations + if destinations.nil? + destinations = ["mymail@me.com"] + mail.subject = '[TEST-FAILURE]:'+mail.subject + else + mail.subject = '[TEST]:'+mail.subject + end + approved = ["testerone@me.com","testertwo@me.com"] + destinations = destinations.collect{|x| approved.collect{|y| (x==y ? x : nil)}}.flatten.compact + mail.to = destinations + if destinations.size > 0 + mail.ready_to_send + Net::SMTP.start(server_settings[:address], server_settings[:port], server_settings[:domain], + server_settings[:user_name], server_settings[:password], server_settings[:authentication]) do |smtp| + smtp.sendmail(mail.encoded, mail.from, destinations) + end + end + + end + +end +---------------------------------------------------------------- + |