I’ve been working through Michael Hartl’s Rails tutorial (which is unbelievably awesome by the way).

Anyway, everything has been going pretty well and I’ve nearly reached the end of chapter 10. The problem is that my rspec tests have started to generate some failures and I can’t figure out what’s wrong.

The first failure occurred when I was working through the section on destroying users. The test

before :each do
  @user = Factory :user
end

describe "as a non-signed-in user" do
  it "should deny access" do
    delete :destroy, :id => @user
    response.should redirect_to(signin_path)
  end
end

gives the error:

UsersController DELETE 'destroy' as a non-signed-in user should deny access
 Failure/Error: delete :destroy, :id => @user
 NoMethodError:
   undefined method `admin?' for nil:NilClass
 # ./app/controllers/users_controller.rb:76:in `admin_user'
 # ./spec/controllers/users_controller_spec.rb:308:in `block (4 levels) in <top (required)>'

Here’s the code the message references in users_controller:

def admin_user
  # the error tels me that current_user = NilClass
  redirect_to(root_path) unless current_user.admin?
end

So I guess this would suggest that current_user isn’t working correctly and is being set to nil. Now current_user involves a lot of methods of the SessionsHelper which (afaik) deal with setting the users ID in secure cookies and referencing the cookie as they move around the site. So this suggests that there is something wrong with the cookies.

I’ve checked the browser and the cookie is being set, I’ve also gone over every part of the code and it all replicates the tutorial exactly as far as I can tell.

Is there something else I should be looking at?

Appendix

Here is the contents of the SessionsHelper module:

module SessionsHelper

    def sign_in user
        # rails represents cookies as a hash and deals with the conversion for us
        # making the cookie "signed" makes it impervious to attack
        cookies.permanent.signed[:remember_token] = [user.id, user.salt]
        # this line calls the assignment operator below
        self.current_user = user
      end

      def current_user=(user)
        @current_user = user
      end

      # this is a getter method
      def current_user
        # this sets @current_user = to the user corresponding to the remember token
        # but only if @current user is undefined. ie it only works once
        @current_user ||= user_from_remember_token
      end

    def signed_in?
        # return true if current_user is not nil
        !current_user.nil?
      end

      def sign_out
        cookies.delete(:remember_token)
        self.current_user = nil
      end

      def current_user? user
        # returns true if the user object == the current_user object
        user == current_user
      end

      def authenticate
        deny_access unless signed_in?
      end

    def deny_access
        store_location
        # this is a shortcut for flash notices: flash[:notice] = "Please sign in to access this page."
        redirect_to signin_path, :notice => "Please sign in to access this page."
      end

      def redirect_back_or(default)
        redirect_to(session[:return_to] || default)
        clear_return_to
      end

  private

    def user_from_remember_token
      # the * allows us to give a 2 element array to a method expecting 2 seperate arguments
      User.authenticate_with_salt(*remember_token)
    end

    def remember_token
      # return [nil, nil] if the :remember_token cookie is nil
      cookies.signed[:remember_token] || [nil, nil]
    end

    def store_location
      # stores the url the browser was requesting
      session[:return_to] = request.fullpath
    end

    def clear_return_to
      session[:return_to] = nil
    end
  end