Commit 7f9e3d6
Changed files (3)
app
controllers
models
spec
controllers
app/controllers/application_controller.rb
@@ -2,8 +2,19 @@ class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
+ before_filter :ensure_valid_session
def resolve(key)
Spank::IOC.resolve(key)
end
+
+ private
+
+ def ensure_valid_session
+ unless session[:session_id] && Session.find(session[:session_id])
+ render nothing: true, status: :unauthorized
+ end
+ rescue ActiveRecord::RecordNotFound
+ render nothing: true, status: :unauthorized
+ end
end
app/models/session.rb
@@ -0,0 +1,2 @@
+class Session
+end
spec/controllers/application_controller_spec.rb
@@ -0,0 +1,33 @@
+require "spec_helper"
+
+describe ApplicationController do
+ controller do
+ def index
+ render text: 'hello'
+ end
+ end
+
+ context "when signed in" do
+ let(:user_session) { Object.new }
+
+ it "lets you continue to do whatever the heck you were trying to do" do
+ Session.stub(:find).with(1).and_return(user_session)
+ get :index, {}, session_id: 1
+ response.status.should == 200
+ end
+ end
+
+ context "when not signed in" do
+ it "boots you out when their is no session_id" do
+ get :index
+ response.status.should == 401
+ end
+
+ it "boots you out when the session id is not known" do
+ Session.stub(:find).with(100).and_raise(ActiveRecord::RecordNotFound)
+
+ get :index, {}, session_id: 100
+ response.status.should == 401
+ end
+ end
+end