I've been going back over some legacy code, backfilling tests, and I'm encountering something that is causing no small amount of pain. This is in a mature Rails app, that's lived and migrated from 1.1 through to 2.1, so there's a lot of ancient cruft built up in the corners that I've been trying to clean up.
My question/pain point revolves around authorization. In at least two different models in the system -- areas that are core to the functionality -- there are models that run through a state transition. Only certain users are allowed to make those transitions, however. You're basic "only an admin can publish an article" kind of restrictions. These models show up across most of the app -- several different controllers. As such, long, long ago, someone patched updated the site authentication code to assign a User.current singleton inside the login_required filter. This is then used by *several* models, sometimes to populate an updated_by stamp, sometimes it's actually used within a models validations(!), and it's definately used within some of the state-transition guards. Now, this is really just a global variable by another name, and it's pretty well embedded after two years. I've come upon a whole bunch of different pain points in trying to setup data (real data) within the cucumber steps I've been backfilling. Lacking any support of injection, I end up doing a lot of juggling of the User.current value, just to get some test data built and in the right set of states ... and while I can bury the temporary reassignments necessary inside a block, it still feels like it's an intractable mess. I know *why* this was originally done -- to avoid having to pass User objects around all the time, and it does _appear_ to keep the API clean -- but the hidden dependancy isn't really clean. So, does anyone have any suggestions of how to easily manage model level user authorization? -- // anything worth taking seriously is worth making fun of // http://blog.devcaffeine.com/
_______________________________________________ rspec-users mailing list rspec-users@rubyforge.org http://rubyforge.org/mailman/listinfo/rspec-users
