I’m developing an application using Devise.
Since I need a UI to manage users I also generated a controller and associated views to perform all CRUD operations on the User model.
Then I create a “role” field that I use with CanCan and as a mass-assignment role.
Now I’m trying to make all specs properly, I have this test
describe "POST create" do
describe "with valid params" do
it "creates a new User" do
expect {
post :create, {:user => valid_attributes}
}.to change(User, :count).by(1)
end
# ...
end
end
That when executed raises:
UsersController POST create with valid params creates a new User
Failure/Error: post :create, {:user => valid_attributes}
ActiveModel::MassAssignmentSecurity::Error:
Can't mass-assign protected attributes: name, surname, role
# ./spec/controllers/users_controller_spec.rb:62:in `block (5 levels) in <top (required)>'
# ./spec/controllers/users_controller_spec.rb:61:in `block (4 levels) in <top (required)>'
And where my controller’s #create method is defined as
class UsersController < ApplicationController
load_and_authorize_resource
# GET /users
# GET /users.json
def index
respond_to do |format|
format.html # index.html.erb
format.json { render json: @users }
end
end
# GET /users/1
# GET /users/1.json
def show
respond_to do |format|
format.html # show.html.erb
format.json { render json: @user }
end
end
# GET /users/new
# GET /users/new.json
def new
respond_to do |format|
format.html # new.html.erb
format.json { render json: @user }
end
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
@user = User.new params[:user], :as => current_user.role.to_sym
respond_to do |format|
if @user.save
format.html { redirect_to @user, notice: 'Utente creato con successo.' }
format.json { render json: @user, status: :created, location: @user }
else
format.html { render action: "new" }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# PUT /users/1
# PUT /users/1.json
def update
respond_to do |format|
if @user.update_attributes(params[:user], :as => current_user.role.to_sym)
format.html { redirect_to @user, notice: 'Profilo aggiornato con successo.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
@user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
end
To make rspec run properly with Devise I followed the official doc and I also created macros (the same as described there), except I don’t have two different FactoryGirl but one where I define on creation the role, for example:
FactoryGirl.create(:user, role: :admin) # or role: :user
And this is the User model
class User < ActiveRecord::Base
attr_accessible :email, :password, :password_confirmation, :remember_me
attr_accessible :email, :password, :password_confirmation, :remember_me, :name, :surname, :role, :as => :admin
devise :database_authenticatable, :recoverable, :rememberable, :trackable,
:validatable
VALID_ROLES = [:admin, :student]
validates_inclusion_of :role, in: VALID_ROLES
def is_admin?
role == "admin"
end
def is_student?
role == "student"
end
end
How can I fix that? It took all my day and I couldn’t get this working 🙁
The issue was caused by cancan’s
load_and_authorize_resourcethat is callingUser.createwithout allowing me to declare the “:as” clause containing the role.The fix was actually to remove the call to
load_and_authorize_resourceand create the resource in a typical way (as you would do without cancan). Then call in each method the authorization check, that isauthorize! :create, Userfor #create.Probably it would also work by using something like
load_and_authorize_resource :except => [:create]and then do it manually only there, but I’m not sure and I didn’t test it.By the way I’ve lost a working day on this bug and I really hope this can help someone else having the same issue.