- Add tests to controllers to verify controller logic
- Practice using OAuth in a web application
- Practice using Session variables to track a user across multiple HTTP requests
We are providing you with an implementation of MediaRanker. Use this MediaRanker to begin this project.
Our MediaRanker web app was a wonderful website with two major flaws:
- our controllers are untested
- the way we implemented user login is extremely insecure
In this assignment you will modify Media Ranker in two ways:
- our controllers will finally have tests that test controller logic
- our web app can securely authenticate multiple users via OAuth and authorize them to view, manage and vote on works
Build your project using branches, with at least one branch per wave. As you finish a wave merge the changes into the main branch. Submit one pull request at the end once you are complete.
Take some time to understand what each controller is doing. Add tests to the existing controllers in this project. Be sure to consider both nominal and edge cases for every user flow possible.
- Tests on CRUD operations that your controller can execute
- Create
- What should happen if the controller executes creation of something with valid data?
- ... with invalid data?
- Read (Show)
- What should happen if the controller tries to read/show an ID of a model that exists in the DB?
- ... that doesn't exist in the DB?
- Update
- What should happen if the controller executes an update of something with valid data?
- ... with invalid data?
- Delete
- What should happen if the controller tries to delete an ID of a model that exists in the DB?
- ... that doesn't exist in the DB?
- Create
- Tests rendering, routing, and HTTP status when appropriate
- Tests updates to the model when appropriate
- Tests custom controller logic and custom routes when appropriate
- Tests positive, negative, nominal and edge cases
Following the steps in the Textbook curriculum, add OAuth to your Media Ranker Application and enable a user to log in.
- Add all necessary gems and configuration
- Repurpose the existing login functionality to now be a single log in button (on home page or nav bar)
- The log in button shall turn in to a log out button when the user is logged in
- All other requirements from in-class notes apply:
- Managed via
session
SessionsController
User
model
- Managed via
In this wave we will create authorization logic to enforce rules that govern what pages on the site users and guests (unauthenticated browsers) can view. The rule we'll use is that guests can only access the main page, and all logged-in users can access the show and index pages for all categories of work.
- Ensure that users who are not logged in can see only the main page with the spotlight and top 10 items. No other pages should be viewable by the guest user.
- Ensure that users who are logged in can see the rest of the pages.
- Full unit testing around authentication using mocks
Create advanced authorization logic to enforce rules that govern what changes users can make to the site's data. The rules here are more complex than for accessing pages:
- Guests cannot change any data on the site
- All logged-in users can add new works to the site
- Those works are owned by the user that created them
- The user who owns a given work can:
- Edit that work
- Delete that work
- Modify the edit and delete functionality to ensure that users can only change works they are associated with.
- Consider how this could be implemented at the model layer.
- Do some research into how to use Google or another OAuth provider for authentication and use that provider.
This project is due before class Tuesday October 30 via PR against Ada-C10/MediaRanker-Revisited.