Address review: cover DiskController#update in tests

Add integration coverage for the disk service PUT now that the initializer
relies on it being both session-gated and CSRF-exempt:

- unauthenticated PUT -> redirected to login (write blocked)
- authenticated PUT with forgery protection enabled and no authenticity
  token -> 204 (proves the signed-token service PUT stays CSRF-exempt and
  guards against the concern's protect_from_forgery re-arming it)
This commit is contained in:
Jeremy Daer
2026-06-15 13:18:40 -07:00
parent 49f06d0b22
commit c49c41a0d7
@@ -34,10 +34,46 @@ class ActiveStorage::DirectUploadsControllerTest < ActionDispatch::IntegrationTe
assert_response :success
end
test "disk update requires authentication" do
put direct_upload_url_for("hello"), params: "hello", headers: { "Content-Type" => "text/plain" }
assert_redirected_to new_session_url
end
test "disk update stores bytes for an authenticated session without a CSRF token" do
sign_in :david
url = direct_upload_url_for("hello")
# Forgery protection is off in test by default; turn it on so this proves the
# signed-token service PUT stays CSRF-exempt even when the concern re-arms it.
with_forgery_protection do
put url, params: "hello", headers: { "Content-Type" => "text/plain" }
end
assert_response :no_content
end
private
def blob_params
content = "hello"
{ filename: "hello.txt", byte_size: content.bytesize, content_type: "text/plain", \
checksum: Digest::MD5.base64digest(content) }
end
def direct_upload_url_for(content)
blob = ActiveStorage::Blob.create_before_direct_upload! \
filename: "hello.txt", byte_size: content.bytesize, \
checksum: Digest::MD5.base64digest(content), content_type: "text/plain"
ActiveStorage::Current.set(url_options: { host: "once.campfire.test", protocol: "http" }) do
blob.service_url_for_direct_upload
end
end
def with_forgery_protection
original = ActionController::Base.allow_forgery_protection
ActionController::Base.allow_forgery_protection = true
yield
ensure
ActionController::Base.allow_forgery_protection = original
end
end