updating-showing-and-deleting-users.html

<!DOCTYPE html>
<html>
  <head>
    <title>updating-showing-and-deleting-users</title>
    <link rel="stylesheet" href="pygments.css" type="text/css" />
    <link rel="stylesheet" href="polytexnic.css" type="text/css" />
  </head>
  <body>
    <div id="book">

<h1 class="title">Ruby on Rails Tutorial </h1>


<h1 class="subtitle">  Learn Web Development with Rails</h1>


<h2 class="author">Michael Hartl</h2>




<h2 class="contents">Contents</h2>


<div id="table_of_contents"><ol><li class="chapter"><a href="beginning.html#top"><span class="number">Chapter 1</span> From zero to deploy</a></li><li><ol><li class="section"><a href="beginning.html#sec-introduction"><span class="number">1.1</span> Introduction</a></li><li><ol><li class="subsection"><a href="beginning.html#sec-comments_for_various_readers"><span class="number">1.1.1</span> Comments for various readers</a></li><li class="subsection"><a href="beginning.html#sec-1_1_2"><span class="number">1.1.2</span> &ldquo;Scaling&rdquo; Rails</a></li><li class="subsection"><a href="beginning.html#sec-conventions"><span class="number">1.1.3</span> Conventions in this book</a></li></ol></li><li class="section"><a href="beginning.html#sec-up_and_running"><span class="number">1.2</span> Up and running</a></li><li><ol><li class="subsection"><a href="beginning.html#sec-development_tools"><span class="number">1.2.1</span> Development environments</a></li><li><ol><li class="subsubsection"><a href="beginning.html#sec-1_2_1_1">IDEs</a></li><li class="subsubsection"><a href="beginning.html#sec-1_2_1_2">Text editors and command lines</a></li><li class="subsubsection"><a href="beginning.html#sec-1_2_1_3">Browsers</a></li><li class="subsubsection"><a href="beginning.html#sec-1_2_1_4">A note about tools</a></li></ol></li><li class="subsection"><a href="beginning.html#sec-rubygems"><span class="number">1.2.2</span> Ruby, RubyGems, Rails, and Git</a></li><li><ol><li class="subsubsection"><a href="beginning.html#sec-rails_installer_windows">Rails Installer (Windows)</a></li><li class="subsubsection"><a href="beginning.html#sec-install_git">Install Git</a></li><li class="subsubsection"><a href="beginning.html#sec-install_ruby">Install Ruby</a></li><li class="subsubsection"><a href="beginning.html#sec-install_rubygems">Install RubyGems</a></li><li class="subsubsection"><a href="beginning.html#sec-install_rails">Install Rails</a></li></ol></li><li class="subsection"><a href="beginning.html#sec-the_first_application"><span class="number">1.2.3</span> The first application</a></li><li class="subsection"><a href="beginning.html#sec-bundler"><span class="number">1.2.4</span> Bundler</a></li><li class="subsection"><a href="beginning.html#sec-rails_server"><span class="number">1.2.5</span> <tt>rails server</tt></a></li><li class="subsection"><a href="beginning.html#sec-mvc"><span class="number">1.2.6</span> Model-view-controller (MVC)</a></li></ol></li><li class="section"><a href="beginning.html#sec-version_control"><span class="number">1.3</span> Version control with Git</a></li><li><ol><li class="subsection"><a href="beginning.html#sec-git_setup"><span class="number">1.3.1</span> Installation and setup</a></li><li><ol><li class="subsubsection"><a href="beginning.html#sec-1_3_1_1">First-time system setup</a></li><li class="subsubsection"><a href="beginning.html#sec-1_3_1_2">First-time repository setup</a></li></ol></li><li class="subsection"><a href="beginning.html#sec-adding_and_committing"><span class="number">1.3.2</span> Adding and committing</a></li><li class="subsection"><a href="beginning.html#sec-1_3_3"><span class="number">1.3.3</span> What good does Git do you?</a></li><li class="subsection"><a href="beginning.html#sec-github"><span class="number">1.3.4</span> GitHub</a></li><li class="subsection"><a href="beginning.html#sec-git_commands"><span class="number">1.3.5</span> Branch, edit, commit, merge</a></li><li><ol><li class="subsubsection"><a href="beginning.html#sec-git_branch">Branch</a></li><li class="subsubsection"><a href="beginning.html#sec-git_edit">Edit</a></li><li class="subsubsection"><a href="beginning.html#sec-git_commit">Commit</a></li><li class="subsubsection"><a href="beginning.html#sec-git_merge">Merge</a></li><li class="subsubsection"><a href="beginning.html#sec-git_push">Push</a></li></ol></li></ol></li><li class="section"><a href="beginning.html#sec-deploying"><span class="number">1.4</span> Deploying</a></li><li><ol><li class="subsection"><a href="beginning.html#sec-heroku_setup"><span class="number">1.4.1</span> Heroku setup</a></li><li class="subsection"><a href="beginning.html#sec-heroku_step_one"><span class="number">1.4.2</span> Heroku deployment, step one</a></li><li class="subsection"><a href="beginning.html#sec-1_4_3"><span class="number">1.4.3</span> Heroku deployment, step two</a></li><li class="subsection"><a href="beginning.html#sec-heroku_commands"><span class="number">1.4.4</span> Heroku commands</a></li></ol></li><li class="section"><a href="beginning.html#sec-beginning_conclusion"><span class="number">1.5</span> Conclusion</a></li></ol></li><li class="chapter"><a href="a-demo-app.html#top"><span class="number">Chapter 2</span> A demo app</a></li><li><ol><li class="section"><a href="a-demo-app.html#sec-planning_the_application"><span class="number">2.1</span> Planning the application</a></li><li><ol><li class="subsection"><a href="a-demo-app.html#sec-modeling_demo_users"><span class="number">2.1.1</span> Modeling demo users</a></li><li class="subsection"><a href="a-demo-app.html#sec-modeling_demo_microposts"><span class="number">2.1.2</span> Modeling demo microposts</a></li></ol></li><li class="section"><a href="a-demo-app.html#sec-demo_users_resource"><span class="number">2.2</span> The Users resource</a></li><li><ol><li class="subsection"><a href="a-demo-app.html#sec-a_user_tour"><span class="number">2.2.1</span> A user tour</a></li><li class="subsection"><a href="a-demo-app.html#sec-mvc_in_action"><span class="number">2.2.2</span> MVC in action</a></li><li class="subsection"><a href="a-demo-app.html#sec-weaknesses_of_this_users_resource"><span class="number">2.2.3</span> Weaknesses of this Users resource</a></li></ol></li><li class="section"><a href="a-demo-app.html#sec-microposts_resource"><span class="number">2.3</span> The Microposts resource</a></li><li><ol><li class="subsection"><a href="a-demo-app.html#sec-a_micropost_microtour"><span class="number">2.3.1</span> A micropost microtour</a></li><li class="subsection"><a href="a-demo-app.html#sec-putting_the_micro_in_microposts"><span class="number">2.3.2</span> Putting the <em>micro</em> in microposts</a></li><li class="subsection"><a href="a-demo-app.html#sec-demo_user_has_many_microposts"><span class="number">2.3.3</span> A user <tt>has_many</tt> microposts</a></li><li class="subsection"><a href="a-demo-app.html#sec-inheritance_hierarchies"><span class="number">2.3.4</span> Inheritance hierarchies</a></li><li class="subsection"><a href="a-demo-app.html#sec-deploying_the_demo_app"><span class="number">2.3.5</span> Deploying the demo app</a></li></ol></li><li class="section"><a href="a-demo-app.html#sec-2_4"><span class="number">2.4</span> Conclusion</a></li></ol></li><li class="chapter"><a href="static-pages.html#top"><span class="number">Chapter 3</span> Mostly static pages</a></li><li><ol><li class="section"><a href="static-pages.html#sec-static_pages"><span class="number">3.1</span> Static pages</a></li><li class="section"><a href="static-pages.html#sec-first_tests"><span class="number">3.2</span> Our first tests</a></li><li><ol><li class="subsection"><a href="static-pages.html#sec-TDD"><span class="number">3.2.1</span> Test-driven development</a></li><li class="subsection"><a href="static-pages.html#sec-adding_a_page"><span class="number">3.2.2</span> Adding a page</a></li><li><ol><li class="subsubsection"><a href="static-pages.html#sec-red">Red</a></li><li class="subsubsection"><a href="static-pages.html#sec-green">Green</a></li><li class="subsubsection"><a href="static-pages.html#sec-refactor">Refactor</a></li></ol></li></ol></li><li class="section"><a href="static-pages.html#sec-slightly_dynamic_pages"><span class="number">3.3</span> Slightly dynamic pages</a></li><li><ol><li class="subsection"><a href="static-pages.html#sec-testing_a_title_change"><span class="number">3.3.1</span> Testing a title change</a></li><li class="subsection"><a href="static-pages.html#sec-passing_title_tests"><span class="number">3.3.2</span> Passing title tests</a></li><li class="subsection"><a href="static-pages.html#sec-embedded_ruby"><span class="number">3.3.3</span> Embedded Ruby</a></li><li class="subsection"><a href="static-pages.html#sec-layouts"><span class="number">3.3.4</span> Eliminating duplication with layouts</a></li></ol></li><li class="section"><a href="static-pages.html#sec-static_pages_conclusion"><span class="number">3.4</span> Conclusion</a></li><li class="section"><a href="static-pages.html#sec-static_pages_exercises"><span class="number">3.5</span> Exercises</a></li><li class="section"><a href="static-pages.html#sec-advanced_setup"><span class="number">3.6</span> Advanced setup</a></li><li><ol><li class="subsection"><a href="static-pages.html#sec-eliminating_bundle_exec"><span class="number">3.6.1</span> Eliminating <tt>bundle exec</tt></a></li><li><ol><li class="subsubsection"><a href="static-pages.html#sec-rvm_bundler_integration">RVM Bundler integration</a></li><li class="subsubsection"><a href="static-pages.html#sec-binstubs">binstubs</a></li></ol></li><li class="subsection"><a href="static-pages.html#sec-guard"><span class="number">3.6.2</span> Automated tests with Guard</a></li><li class="subsection"><a href="static-pages.html#sec-spork"><span class="number">3.6.3</span> Speeding up tests with Spork</a></li><li><ol><li class="subsubsection"><a href="static-pages.html#sec-spork_and_guard">Guard with Spork</a></li></ol></li><li class="subsection"><a href="static-pages.html#sec-tests_inside_sublime_text"><span class="number">3.6.4</span> Tests inside Sublime Text</a></li></ol></li></ol></li><li class="chapter"><a href="rails-flavored-ruby.html#top"><span class="number">Chapter 4</span> Rails-flavored Ruby</a></li><li><ol><li class="section"><a href="rails-flavored-ruby.html#sec-motivation"><span class="number">4.1</span> Motivation</a></li><li class="section"><a href="rails-flavored-ruby.html#sec-strings_and_methods"><span class="number">4.2</span> Strings and methods</a></li><li><ol><li class="subsection"><a href="rails-flavored-ruby.html#sec-comments"><span class="number">4.2.1</span> Comments</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-strings"><span class="number">4.2.2</span> Strings</a></li><li><ol><li class="subsubsection"><a href="rails-flavored-ruby.html#sec-printing">Printing</a></li><li class="subsubsection"><a href="rails-flavored-ruby.html#sec-single_quoted_strings">Single-quoted strings</a></li></ol></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-objects_and_message_passing"><span class="number">4.2.3</span> Objects and message passing</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-method_definitions"><span class="number">4.2.4</span> Method definitions</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-back_to_the_title_helper"><span class="number">4.2.5</span> Back to the title helper</a></li></ol></li><li class="section"><a href="rails-flavored-ruby.html#sec-other_data_structures"><span class="number">4.3</span> Other data structures</a></li><li><ol><li class="subsection"><a href="rails-flavored-ruby.html#sec-arrays_and_ranges"><span class="number">4.3.1</span> Arrays and ranges</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-blocks"><span class="number">4.3.2</span> Blocks</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-hashes_and_symbols"><span class="number">4.3.3</span> Hashes and symbols</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-css_revisited"><span class="number">4.3.4</span> CSS revisited</a></li></ol></li><li class="section"><a href="rails-flavored-ruby.html#sec-ruby_classes"><span class="number">4.4</span> Ruby classes</a></li><li><ol><li class="subsection"><a href="rails-flavored-ruby.html#sec-constructors"><span class="number">4.4.1</span> Constructors</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-a_class_of_our_own"><span class="number">4.4.2</span> Class inheritance</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-modifying_built_in_classes"><span class="number">4.4.3</span> Modifying built-in classes</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-a_controller_class"><span class="number">4.4.4</span> A controller class</a></li><li class="subsection"><a href="rails-flavored-ruby.html#sec-a_user_class"><span class="number">4.4.5</span> A user class</a></li></ol></li><li class="section"><a href="rails-flavored-ruby.html#sec-conclusion"><span class="number">4.5</span> Conclusion</a></li><li class="section"><a href="rails-flavored-ruby.html#sec-exercises"><span class="number">4.6</span> Exercises</a></li></ol></li><li class="chapter"><a href="filling-in-the-layout.html#top"><span class="number">Chapter 5</span> Filling in the layout</a></li><li><ol><li class="section"><a href="filling-in-the-layout.html#sec-structure"><span class="number">5.1</span> Adding some structure</a></li><li><ol><li class="subsection"><a href="filling-in-the-layout.html#sec-adding_to_the_layout"><span class="number">5.1.1</span> Site navigation</a></li><li class="subsection"><a href="filling-in-the-layout.html#sec-custom_css"><span class="number">5.1.2</span> Bootstrap and custom CSS</a></li><li class="subsection"><a href="filling-in-the-layout.html#sec-partials"><span class="number">5.1.3</span> Partials</a></li></ol></li><li class="section"><a href="filling-in-the-layout.html#sec-sass_and_the_asset_pipeline"><span class="number">5.2</span> Sass and the asset pipeline</a></li><li><ol><li class="subsection"><a href="filling-in-the-layout.html#sec-the_asset_pipeline"><span class="number">5.2.1</span> The asset pipeline</a></li><li><ol><li class="subsubsection"><a href="filling-in-the-layout.html#sec-5_2_1_1">Asset directories</a></li><li class="subsubsection"><a href="filling-in-the-layout.html#sec-5_2_1_2">Manifest files</a></li><li class="subsubsection"><a href="filling-in-the-layout.html#sec-5_2_1_3">Preprocessor engines</a></li><li class="subsubsection"><a href="filling-in-the-layout.html#sec-5_2_1_4">Efficiency in production</a></li></ol></li><li class="subsection"><a href="filling-in-the-layout.html#sec-sass"><span class="number">5.2.2</span> Syntactically awesome stylesheets</a></li><li><ol><li class="subsubsection"><a href="filling-in-the-layout.html#sec-5_2_2_1">Nesting</a></li><li class="subsubsection"><a href="filling-in-the-layout.html#sec-5_2_2_2">Variables</a></li></ol></li></ol></li><li class="section"><a href="filling-in-the-layout.html#sec-layout_links"><span class="number">5.3</span> Layout links</a></li><li><ol><li class="subsection"><a href="filling-in-the-layout.html#sec-route_tests"><span class="number">5.3.1</span> Route tests</a></li><li class="subsection"><a href="filling-in-the-layout.html#sec-rails_routes"><span class="number">5.3.2</span> Rails routes</a></li><li class="subsection"><a href="filling-in-the-layout.html#sec-named_routes"><span class="number">5.3.3</span> Named routes</a></li><li class="subsection"><a href="filling-in-the-layout.html#sec-pretty_rspec"><span class="number">5.3.4</span> Pretty RSpec</a></li></ol></li><li class="section"><a href="filling-in-the-layout.html#sec-user_signup"><span class="number">5.4</span> User signup: A first step</a></li><li><ol><li class="subsection"><a href="filling-in-the-layout.html#sec-users_controller"><span class="number">5.4.1</span> Users controller</a></li><li class="subsection"><a href="filling-in-the-layout.html#sec-signup_url"><span class="number">5.4.2</span> Signup URL</a></li></ol></li><li class="section"><a href="filling-in-the-layout.html#sec-layout_conclusion"><span class="number">5.5</span> Conclusion</a></li><li class="section"><a href="filling-in-the-layout.html#sec-layout_exercises"><span class="number">5.6</span> Exercises</a></li></ol></li><li class="chapter"><a href="modeling-users.html#top"><span class="number">Chapter 6</span> Modeling users</a></li><li><ol><li class="section"><a href="modeling-users.html#sec-user_model"><span class="number">6.1</span> User model</a></li><li><ol><li class="subsection"><a href="modeling-users.html#sec-database_migrations"><span class="number">6.1.1</span> Database migrations</a></li><li class="subsection"><a href="modeling-users.html#sec-the_model_file"><span class="number">6.1.2</span> The model file</a></li><li class="subsection"><a href="modeling-users.html#sec-creating_user_objects"><span class="number">6.1.3</span> Creating user objects</a></li><li class="subsection"><a href="modeling-users.html#sec-finding_user_objects"><span class="number">6.1.4</span> Finding user objects</a></li><li class="subsection"><a href="modeling-users.html#sec-updating_user_objects"><span class="number">6.1.5</span> Updating user objects</a></li></ol></li><li class="section"><a href="modeling-users.html#sec-user_validations"><span class="number">6.2</span> User validations</a></li><li><ol><li class="subsection"><a href="modeling-users.html#sec-initial_user_tests"><span class="number">6.2.1</span> Initial user tests</a></li><li class="subsection"><a href="modeling-users.html#sec-presence_validation"><span class="number">6.2.2</span> Validating presence</a></li><li class="subsection"><a href="modeling-users.html#sec-length_validation"><span class="number">6.2.3</span> Length validation</a></li><li class="subsection"><a href="modeling-users.html#sec-format_validation"><span class="number">6.2.4</span> Format validation</a></li><li class="subsection"><a href="modeling-users.html#sec-uniqueness_validation"><span class="number">6.2.5</span> Uniqueness validation</a></li><li><ol><li class="subsubsection"><a href="modeling-users.html#sec-the_caveat">The uniqueness caveat</a></li></ol></li></ol></li><li class="section"><a href="modeling-users.html#sec-adding_a_secure_password"><span class="number">6.3</span> Adding a secure password</a></li><li><ol><li class="subsection"><a href="modeling-users.html#sec-a_hashed_password"><span class="number">6.3.1</span> A hashed password</a></li><li class="subsection"><a href="modeling-users.html#sec-password_and_confirmation"><span class="number">6.3.2</span> Password and confirmation</a></li><li class="subsection"><a href="modeling-users.html#sec-user_authentication"><span class="number">6.3.3</span> User authentication</a></li><li class="subsection"><a href="modeling-users.html#sec-has_secure_password"><span class="number">6.3.4</span> User has secure password</a></li><li class="subsection"><a href="modeling-users.html#sec-creating_a_user"><span class="number">6.3.5</span> Creating a user</a></li></ol></li><li class="section"><a href="modeling-users.html#sec-6_4"><span class="number">6.4</span> Conclusion</a></li><li class="section"><a href="modeling-users.html#sec-modeling_users_exercises"><span class="number">6.5</span> Exercises</a></li></ol></li><li class="chapter"><a href="sign-up.html#top"><span class="number">Chapter 7</span> Sign up</a></li><li><ol><li class="section"><a href="sign-up.html#sec-showing_users"><span class="number">7.1</span> Showing users</a></li><li><ol><li class="subsection"><a href="sign-up.html#sec-rails_environments"><span class="number">7.1.1</span> Debug and Rails environments</a></li><li class="subsection"><a href="sign-up.html#sec-a_users_resource"><span class="number">7.1.2</span> A Users resource</a></li><li class="subsection"><a href="sign-up.html#sec-tests_with_factories"><span class="number">7.1.3</span> Testing the user show page (with factories)</a></li><li class="subsection"><a href="sign-up.html#sec-a_gravatar_image"><span class="number">7.1.4</span> A Gravatar image and a sidebar</a></li></ol></li><li class="section"><a href="sign-up.html#sec-signup_form"><span class="number">7.2</span> Signup form</a></li><li><ol><li class="subsection"><a href="sign-up.html#sec-tests_for_user_signup"><span class="number">7.2.1</span> Tests for user signup</a></li><li class="subsection"><a href="sign-up.html#sec-using_form_for"><span class="number">7.2.2</span> Using <tt>form_for</tt></a></li><li class="subsection"><a href="sign-up.html#sec-the_form_html"><span class="number">7.2.3</span> The form HTML</a></li></ol></li><li class="section"><a href="sign-up.html#sec-signup_failure"><span class="number">7.3</span> Signup failure</a></li><li><ol><li class="subsection"><a href="sign-up.html#sec-a_working_form"><span class="number">7.3.1</span> A working form</a></li><li class="subsection"><a href="sign-up.html#sec-strong_parameters"><span class="number">7.3.2</span> Strong parameters</a></li><li class="subsection"><a href="sign-up.html#sec-signup_error_messages"><span class="number">7.3.3</span> Signup error messages</a></li></ol></li><li class="section"><a href="sign-up.html#sec-signup_success"><span class="number">7.4</span> Signup success</a></li><li><ol><li class="subsection"><a href="sign-up.html#sec-the_finished_signup_form"><span class="number">7.4.1</span> The finished signup form</a></li><li class="subsection"><a href="sign-up.html#sec-the_flash"><span class="number">7.4.2</span> The flash</a></li><li class="subsection"><a href="sign-up.html#sec-the_first_signup"><span class="number">7.4.3</span> The first signup</a></li><li class="subsection"><a href="sign-up.html#sec-deploying_to_production_with_ssl"><span class="number">7.4.4</span> Deploying to production with SSL</a></li></ol></li><li class="section"><a href="sign-up.html#sec-7_5"><span class="number">7.5</span> Conclusion</a></li><li class="section"><a href="sign-up.html#sec-signup_exercises"><span class="number">7.6</span> Exercises</a></li></ol></li><li class="chapter"><a href="sign-in-sign-out.html#top"><span class="number">Chapter 8</span> Sign in, sign out</a></li><li><ol><li class="section"><a href="sign-in-sign-out.html#sec-signin_failure"><span class="number">8.1</span> Sessions and signin failure</a></li><li><ol><li class="subsection"><a href="sign-in-sign-out.html#sec-sessions_controller"><span class="number">8.1.1</span> Sessions controller</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-signin_tests"><span class="number">8.1.2</span> Signin tests</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-signin_form"><span class="number">8.1.3</span> Signin form</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-reviewing_form_submission"><span class="number">8.1.4</span> Reviewing form submission</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-rendering_with_a_flash_message"><span class="number">8.1.5</span> Rendering with a flash message</a></li></ol></li><li class="section"><a href="sign-in-sign-out.html#sec-signin_success"><span class="number">8.2</span> Signin success</a></li><li><ol><li class="subsection"><a href="sign-in-sign-out.html#sec-remember_me"><span class="number">8.2.1</span> Remember me</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-a_working_sign_in_method"><span class="number">8.2.2</span> A working <tt>sign_in</tt> method</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-current_user"><span class="number">8.2.3</span> Current user</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-changing_the_layout_links"><span class="number">8.2.4</span> Changing the layout links</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-signin_upon_signup"><span class="number">8.2.5</span> Signin upon signup</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-signing_out"><span class="number">8.2.6</span> Signing out</a></li></ol></li><li class="section"><a href="sign-in-sign-out.html#sec-cucumber"><span class="number">8.3</span> Introduction to cucumber (optional)</a></li><li><ol><li class="subsection"><a href="sign-in-sign-out.html#sec-installation_and_setup"><span class="number">8.3.1</span> Installation and setup</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-features_and_steps"><span class="number">8.3.2</span> Features and steps</a></li><li class="subsection"><a href="sign-in-sign-out.html#sec-rspec_custom_matchers"><span class="number">8.3.3</span> Counterpoint: RSpec custom matchers</a></li></ol></li><li class="section"><a href="sign-in-sign-out.html#sec-8_4"><span class="number">8.4</span> Conclusion</a></li><li class="section"><a href="sign-in-sign-out.html#sec-sign_in_out_exercises"><span class="number">8.5</span> Exercises</a></li></ol></li><li class="chapter"><a href="updating-showing-and-deleting-users.html#top"><span class="number">Chapter 9</span> Updating, showing, and deleting users</a></li><li><ol><li class="section"><a href="updating-showing-and-deleting-users.html#sec-updating_users"><span class="number">9.1</span> Updating users</a></li><li><ol><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-edit_form"><span class="number">9.1.1</span> Edit form</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-unsuccessful_edits"><span class="number">9.1.2</span> Unsuccessful edits</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-successful_edits"><span class="number">9.1.3</span> Successful edits</a></li></ol></li><li class="section"><a href="updating-showing-and-deleting-users.html#sec-authorization"><span class="number">9.2</span> Authorization</a></li><li><ol><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-requiring_signed_in_users"><span class="number">9.2.1</span> Requiring signed-in users</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-requiring_the_right_user"><span class="number">9.2.2</span> Requiring the right user</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-friendly_forwarding"><span class="number">9.2.3</span> Friendly forwarding</a></li></ol></li><li class="section"><a href="updating-showing-and-deleting-users.html#sec-showing_all_users"><span class="number">9.3</span> Showing all users</a></li><li><ol><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-user_index"><span class="number">9.3.1</span> User index</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-sample_users"><span class="number">9.3.2</span> Sample users</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-pagination"><span class="number">9.3.3</span> Pagination</a></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-partial_refactoring"><span class="number">9.3.4</span> Partial refactoring</a></li></ol></li><li class="section"><a href="updating-showing-and-deleting-users.html#sec-destroying_users"><span class="number">9.4</span> Deleting users</a></li><li><ol><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-administrative_users"><span class="number">9.4.1</span> Administrative users</a></li><li><ol><li class="subsubsection"><a href="updating-showing-and-deleting-users.html#sec-revisiting_strong_parameters">Revisiting strong parameters</a></li></ol></li><li class="subsection"><a href="updating-showing-and-deleting-users.html#sec-the_destroy_action"><span class="number">9.4.2</span> The <tt>destroy</tt> action</a></li></ol></li><li class="section"><a href="updating-showing-and-deleting-users.html#sec-updating_and_deleting_users_conclusion"><span class="number">9.5</span> Conclusion</a></li><li class="section"><a href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises"><span class="number">9.6</span> Exercises</a></li></ol></li><li class="chapter"><a href="user-microposts.html#top"><span class="number">Chapter 10</span> User microposts</a></li><li><ol><li class="section"><a href="user-microposts.html#sec-a_micropost_model"><span class="number">10.1</span> A Micropost model</a></li><li><ol><li class="subsection"><a href="user-microposts.html#sec-the_basic_model"><span class="number">10.1.1</span> The basic model</a></li><li class="subsection"><a href="user-microposts.html#sec-first_micropost_validation"><span class="number">10.1.2</span> The first validation</a></li><li class="subsection"><a href="user-microposts.html#sec-user_micropost_associations"><span class="number">10.1.3</span> User/Micropost associations</a></li><li class="subsection"><a href="user-microposts.html#sec-ordering_and_dependency"><span class="number">10.1.4</span> Micropost refinements</a></li><li><ol><li class="subsubsection"><a href="user-microposts.html#sec-default_scope">Default scope</a></li><li class="subsubsection"><a href="user-microposts.html#sec-dependent_destroy">Dependent: destroy</a></li></ol></li><li class="subsection"><a href="user-microposts.html#sec-micropost_validations"><span class="number">10.1.5</span> Content validations</a></li></ol></li><li class="section"><a href="user-microposts.html#sec-showing_microposts"><span class="number">10.2</span> Showing microposts</a></li><li><ol><li class="subsection"><a href="user-microposts.html#sec-augmenting_the_user_show_page"><span class="number">10.2.1</span> Augmenting the user show page</a></li><li class="subsection"><a href="user-microposts.html#sec-sample_microposts"><span class="number">10.2.2</span> Sample microposts</a></li></ol></li><li class="section"><a href="user-microposts.html#sec-manipulating_microposts"><span class="number">10.3</span> Manipulating microposts</a></li><li><ol><li class="subsection"><a href="user-microposts.html#sec-access_control"><span class="number">10.3.1</span> Access control</a></li><li class="subsection"><a href="user-microposts.html#sec-creating_microposts"><span class="number">10.3.2</span> Creating microposts</a></li><li class="subsection"><a href="user-microposts.html#sec-a_proto_feed"><span class="number">10.3.3</span> A proto-feed</a></li><li class="subsection"><a href="user-microposts.html#sec-destroying_microposts"><span class="number">10.3.4</span> Destroying microposts</a></li></ol></li><li class="section"><a href="user-microposts.html#sec-10_4"><span class="number">10.4</span> Conclusion</a></li><li class="section"><a href="user-microposts.html#sec-micropost_exercises"><span class="number">10.5</span> Exercises</a></li></ol></li><li class="chapter"><a href="following-users.html#top"><span class="number">Chapter 11</span> Following users</a></li><li><ol><li class="section"><a href="following-users.html#sec-the_relationship_model"><span class="number">11.1</span> The Relationship model</a></li><li><ol><li class="subsection"><a href="following-users.html#sec-a_problem_with_the_data_model"><span class="number">11.1.1</span> A problem with the data model (and a solution)</a></li><li class="subsection"><a href="following-users.html#sec-relationship_user_associations"><span class="number">11.1.2</span> User/relationship associations</a></li><li class="subsection"><a href="following-users.html#sec-relationship_validations"><span class="number">11.1.3</span> Validations</a></li><li class="subsection"><a href="following-users.html#sec-following"><span class="number">11.1.4</span> Followed users</a></li><li class="subsection"><a href="following-users.html#sec-followers"><span class="number">11.1.5</span> Followers</a></li></ol></li><li class="section"><a href="following-users.html#sec-a_web_interface_for_following_and_followers"><span class="number">11.2</span> A web interface for following users</a></li><li><ol><li class="subsection"><a href="following-users.html#sec-sample_following_data"><span class="number">11.2.1</span> Sample following data</a></li><li class="subsection"><a href="following-users.html#sec-stats_and_a_follow_form"><span class="number">11.2.2</span> Stats and a follow form</a></li><li class="subsection"><a href="following-users.html#sec-following_and_followers_pages"><span class="number">11.2.3</span> Following and followers pages</a></li><li class="subsection"><a href="following-users.html#sec-a_working_follow_button_the_standard_way"><span class="number">11.2.4</span> A working follow button the standard way</a></li><li class="subsection"><a href="following-users.html#sec-a_working_follow_button_with_ajax"><span class="number">11.2.5</span> A working follow button with Ajax</a></li></ol></li><li class="section"><a href="following-users.html#sec-the_status_feed"><span class="number">11.3</span> The status feed</a></li><li><ol><li class="subsection"><a href="following-users.html#sec-motivation_and_strategy"><span class="number">11.3.1</span> Motivation and strategy</a></li><li class="subsection"><a href="following-users.html#sec-a_first_feed_implementation"><span class="number">11.3.2</span> A first feed implementation</a></li><li class="subsection"><a href="following-users.html#sec-scopes_subselects_and_a_lambda"><span class="number">11.3.3</span> Subselects</a></li><li class="subsection"><a href="following-users.html#sec-the_new_status_feed"><span class="number">11.3.4</span> The new status feed</a></li></ol></li><li class="section"><a href="following-users.html#sec-following_conclusion"><span class="number">11.4</span> Conclusion</a></li><li><ol><li class="subsection"><a href="following-users.html#sec-extensions_to_the_sample_application"><span class="number">11.4.1</span> Extensions to the sample application</a></li><li><ol><li class="subsubsection"><a href="following-users.html#sec-replies">Replies</a></li><li class="subsubsection"><a href="following-users.html#sec-messaging">Messaging</a></li><li class="subsubsection"><a href="following-users.html#sec-follower_notifications">Follower notifications</a></li><li class="subsubsection"><a href="following-users.html#sec-password_reminders">Password reminders</a></li><li class="subsubsection"><a href="following-users.html#sec-signup_confirmation">Signup confirmation</a></li><li class="subsubsection"><a href="following-users.html#sec-rss_feed">RSS feed</a></li><li class="subsubsection"><a href="following-users.html#sec-rest_api">REST API</a></li><li class="subsubsection"><a href="following-users.html#sec-search">Search</a></li></ol></li><li class="subsection"><a href="following-users.html#sec-guide_to_further_resources"><span class="number">11.4.2</span> Guide to further resources</a></li></ol></li><li class="section"><a href="following-users.html#sec-following_exercises"><span class="number">11.5</span> Exercises</a></li></ol></li></ol></div>


<div id="main_content"></div>


<p> <span class="preamble">
 <span id="foreword">
<strong> Foreword</strong> <br />
 </span>
 </span></p>

<p>My former company (CD Baby) was one of the first to loudly switch to Ruby on Rails, and then even more loudly switch back to PHP (Google me to read about the drama). This book by Michael Hartl came so highly recommended that I had to try it, and the <em>Ruby on Rails Tutorial</em> is what I used to switch back to Rails again.</p>

<p>Though I&rsquo;ve worked my way through many Rails books, this is the one that finally made me &ldquo;get&rdquo; it. Everything is done very much &ldquo;the Rails way&rdquo;&mdash;a way that felt very unnatural to me before, but now after doing this book finally feels natural. This is also the only Rails book that does test-driven development the entire time, an approach highly recommended by the experts but which has never been so clearly demonstrated before. Finally, by including Git, GitHub, and Heroku in the demo examples, the author really gives you a feel for what it&rsquo;s like to do a real-world project. The tutorial&rsquo;s code examples are not in isolation.</p>

<p>The linear narrative is such a great format. Personally, I powered through the <em>Rails Tutorial</em> in three long days, doing all the examples and challenges at the end of each chapter. Do it from start to finish, without jumping around, and you&rsquo;ll get the ultimate benefit.</p>

<p>Enjoy!</p>

<p><a href="http://sivers.org/">Derek Sivers</a> (<a href="http://sivers.org/">sivers.org</a>) <br />
<em>Founder, CD Baby</em> <br /></p>

<p> <span class="preamble">
<strong> Acknowledgments</strong> <br />
 </span></p>

<p>The <em>Ruby on Rails Tutorial</em> owes a lot to my previous Rails book, <em>RailsSpace</em>, and hence to my coauthor <a href="http://aure.com/">Aurelius Prochazka</a>. I&rsquo;d like to thank Aure both for the work he did on that book and for his support of this one. I&rsquo;d also like to thank Debra Williams Cauley, my editor on both <em>RailsSpace</em> and the <em>Ruby on Rails Tutorial</em>; as long as she keeps taking me to baseball games, I&rsquo;ll keep writing books for her.</p>

<p>I&rsquo;d like to acknowledge a long list of Rubyists who have taught and inspired me over the years: David Heinemeier Hansson, Yehuda Katz, Carl Lerche, Jeremy Kemper, Xavier Noria, Ryan Bates, Geoffrey Grosenbach, Peter Cooper, Matt Aimonetti, Gregg Pollack, Wayne&nbsp;E. Seguin, Amy Hoy, Dave Chelimsky, Pat Maddox, Tom Preston-Werner, Chris Wanstrath, Chad Fowler, Josh Susser, Obie Fernandez, Ian McFarland, Steven Bristol, Pratik Naik, Sarah Mei, Sarah Allen, Wolfram Arnold, Alex Chaffee, Giles Bowkett, Evan Dorn, Long Nguyen, James Lindenbaum, Adam Wiggins, Tikhon Bernstam, Ron Evans, Wyatt Greene, Miles Forrest, the good people at Pivotal Labs, the Heroku gang, the thoughtbot guys, and the GitHub crew. Finally, many, many readers&mdash;far too many to list&mdash;have contributed a huge number of bug reports and suggestions during the writing of this book, and I gratefully acknowledge their help in making it as good as it can&nbsp;be. <br /></p>

<p> <span class="preamble">
 <span id="author">
<strong> About the author</strong> <br />
 </span>
 </span></p>

<p><a href="http://michaelhartl.com/">Michael Hartl</a> is the author of the <a href="http://ruby.railstutorial.org/"><em>Ruby on Rails Tutorial</em></a>, the leading introduction to web development with <a href="http://rubyonrails.org/">Ruby on Rails</a>. His prior experience includes writing and developing <em>RailsSpace</em>, an extremely obsolete Rails tutorial book, and developing Insoshi, a once-popular and now-obsolete social networking platform in Ruby on Rails. In 2011, Michael received a <a href="http://rubyheroes.com/heroes">Ruby Hero Award</a> for his contributions to the Ruby community. He is a graduate of <a href="http://college.harvard.edu/">Harvard College</a>, has a <a href="http://resolver.caltech.edu/CaltechETD:etd-05222003-161626">Ph.D. in Physics</a> from <a href="http://www.caltech.edu/">Caltech</a>, and is an alumnus of the <a href="http://ycombinator.com/">Y&nbsp;Combinator</a> entrepreneur program. <br /></p>

<p> <span id="license" class="preamble">
<strong> Copyright and license</strong> <br />
 </span></p>

<p><em>Ruby on Rails Tutorial: Learn Web Development with Rails</em>. Copyright &copy; 2013 by Michael Hartl. All source code in the <em>Ruby on Rails Tutorial</em> is available jointly under the <a href="http://opensource.org/licenses/MIT">MIT License</a> and the <a href="http://people.freebsd.org/~phk/">Beerware License</a>.</p>

<div class="code"><div class="highlight"><pre>The MIT License

Copyright (c) 2013 Michael Hartl

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the &quot;Software&quot;), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
</pre></div>
</div>


<div class="code"><div class="highlight"><pre>/*
 * ----------------------------------------------------------------------------
 * &quot;THE BEER-WARE LICENSE&quot; (Revision 42):
 * Michael Hartl wrote this code. As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.
 * ----------------------------------------------------------------------------
 */
</pre></div>
</div>


<div id="top"></div>


<h1 class="chapter"><a id="sec-9" href="updating-showing-and-deleting-users.html#top" class="heading"><span class="number">Chapter 9</span> Updating, showing, and deleting users</a></h1>


<p>In this chapter, we will complete the REST actions for the Users resource (<a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>) by adding <code>edit</code>, <code>update</code>, <code>index</code>, and <code>destroy</code> actions. We&rsquo;ll start by giving users the ability to update their profiles, which will also provide a natural opportunity to enforce a security model (made possible by the authorization code in <a class="ref" href="sign-in-sign-out.html#top">Chapter&nbsp;8</a>). Then we&rsquo;ll make a listing of all users (also requiring authorization), which will motivate the introduction of sample data and pagination. Finally, we&rsquo;ll add the ability to destroy users, wiping them clear from the database. Since we can&rsquo;t allow just any user to have such dangerous powers, we&rsquo;ll take care to create a privileged class of administrative users (admins) authorized to delete other users.</p>

<p>To get started, let&rsquo;s start work on an <code>updating-users</code> topic branch:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> git checkout -b updating-users
</pre></div>
</div>


<div class="label" id="sec-updating_users"></div>


<h2><a id="sec-9_1" href="updating-showing-and-deleting-users.html#sec-updating_users" class="heading"><span class="number">9.1</span> Updating users</a></h2>


<p>The pattern for editing user information closely parallels that for creating new users (<a class="ref" href="sign-up.html#top">Chapter&nbsp;7</a>). Instead of a <code>new</code> action rendering a view for new users, we have an <code>edit</code> action rendering a view to edit users; instead of <code>create</code> responding to a <tt>POST</tt> request, we have an <code>update</code> action responding to a <tt>PATCH</tt> request (<a class="ref" href="static-pages.html#sidebar-get_etc">Box&nbsp;3.3</a>). The biggest difference is that, while anyone can sign up, only the current user should be able to update their information. This means that we need to enforce access control so that only authorized users can edit and update; the authentication machinery from <a class="ref" href="sign-in-sign-out.html#top">Chapter&nbsp;8</a> will allow us to use a <em>before filter</em> to ensure that this is the case.</p>

<div class="label" id="sec-edit_form"></div>


<h3><a id="sec-9_1_1" href="updating-showing-and-deleting-users.html#sec-edit_form" class="heading"><span class="number">9.1.1</span> Edit form</a></h3>


<p>We start with the edit form, whose mockup appears in <a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_user_mockup">Figure&nbsp;9.1</a>.<sup class="footnote" id="fnref-9_1"><a href="#fn-9_1">1</a></sup> As usual, we&rsquo;ll begin with some tests. First, note the link to change the Gravatar image; if you poke around the Gravatar site, you&rsquo;ll see that the page to add or edit images is located at <a href="http://gravatar.com/emails">http://gravatar.com/emails</a>, so we test the <code>edit</code> page for a link with that URL.<sup class="footnote" id="fnref-9_2"><a href="#fn-9_2">2</a></sup></p>

<div class="label" id="fig-edit_user_mockup"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/edit_user_mockup_bootstrap.png" alt="edit_user_mockup_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.1: </span><span class="description">A mockup of the user edit page.&nbsp;<a href="http://railstutorial.org/images/figures/edit_user_mockup_bootstrap-full.png">(full size)</a></span></div></div>


<p>The tests for the edit user form are analogous to the test for the new user form in <a class="ref" href="sign-up.html#code-error_messages_test">Listing&nbsp;7.31</a> from the <a class="ref" href="sign-up.html#top">Chapter&nbsp;7</a> exercises, which added a test for the error message on invalid submission. The result appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_specs">Listing&nbsp;9.1</a>.</p>

<div class="label" id="code-user_edit_specs"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.1.</span> <span class="description">Tests for the user edit page. <br /> <code>spec/requests/user_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;User pages&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;edit&quot;</span> <span class="k">do</span>
    <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
    <span class="n">before</span> <span class="p">{</span> <span class="n">visit</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">}</span>

    <span class="n">describe</span> <span class="s2">&quot;page&quot;</span> <span class="k">do</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_content</span><span class="p">(</span><span class="s2">&quot;Update your profile&quot;</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="s2">&quot;Edit user&quot;</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;change&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="s1">&#39;http://gravatar.com/emails&#39;</span><span class="p">)</span> <span class="p">}</span>
    <span class="k">end</span>

    <span class="n">describe</span> <span class="s2">&quot;with invalid information&quot;</span> <span class="k">do</span>
      <span class="n">before</span> <span class="p">{</span> <span class="n">click_button</span> <span class="s2">&quot;Save changes&quot;</span> <span class="p">}</span>

      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_content</span><span class="p">(</span><span class="s1">&#39;error&#39;</span><span class="p">)</span> <span class="p">}</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>To write the application code, we need to fill in the <code>edit</code> action in the Users controller. Note from <a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a> that the proper URL for a user&rsquo;s edit page is /users/1/edit (assuming the user&rsquo;s id is&nbsp;<tt>1</tt>). Recall that the id of the user is available in the <code>params[:id]</code> variable, which means that we can find the user with the code in  <a class="ref" href="updating-showing-and-deleting-users.html#code-initial_edit_action">Listing&nbsp;9.2</a>.</p>

<div class="label" id="code-initial_edit_action"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.2.</span> <span class="description">The user <code>edit</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">edit</span>
    <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Getting the tests to pass requires making the actual edit view, shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_view">Listing&nbsp;9.3</a>. Note how closely this resembles the new user view from <a class="ref" href="sign-up.html#code-signup_form">Listing&nbsp;7.17</a>; the large overlap suggests factoring the repeated code into a partial, which is left as an exercise (<a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises">Section&nbsp;9.6</a>).</p>

<div class="label" id="code-user_edit_view"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.3.</span> <span class="description">The user edit view. <br /> <code>app/views/users/edit.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%</span> <span class="n">provide</span><span class="p">(</span><span class="ss">:title</span><span class="p">,</span> <span class="s2">&quot;Edit user&quot;</span><span class="p">)</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;h1&gt;</span>Update your profile<span class="nt">&lt;/h1&gt;</span>

<span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;row&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;span6 offset3&quot;</span><span class="nt">&gt;</span>
    <span class="cp">&lt;%=</span> <span class="n">form_for</span><span class="p">(</span><span class="vi">@user</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">f</span><span class="o">|</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">render</span> <span class="s1">&#39;shared/error_messages&#39;</span> <span class="cp">%&gt;</span>

      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:name</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">text_field</span> <span class="ss">:name</span> <span class="cp">%&gt;</span>

      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:email</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">text_field</span> <span class="ss">:email</span> <span class="cp">%&gt;</span>

      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:password</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">password_field</span> <span class="ss">:password</span> <span class="cp">%&gt;</span>

      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:password_confirmation</span><span class="p">,</span> <span class="s2">&quot;Confirm Password&quot;</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">password_field</span> <span class="ss">:password_confirmation</span> <span class="cp">%&gt;</span>

      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">submit</span> <span class="s2">&quot;Save changes&quot;</span><span class="p">,</span> <span class="ss">class:</span> <span class="s2">&quot;btn btn-large btn-primary&quot;</span> <span class="cp">%&gt;</span>
    <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>

    <span class="cp">&lt;%=</span> <span class="n">gravatar_for</span> <span class="vi">@user</span> <span class="cp">%&gt;</span>
    <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">&quot;http://gravatar.com/emails&quot;</span><span class="nt">&gt;</span>change<span class="nt">&lt;/a&gt;</span>
  <span class="nt">&lt;/div&gt;</span>
<span class="nt">&lt;/div&gt;</span>
</pre></div>
</div></div>


<p>Here we have reused the shared <code>error_messages</code> partial introduced in <a class="ref" href="sign-up.html#sec-signup_error_messages">Section&nbsp;7.3.3</a>.</p>

<p>With the <code>@user</code> instance variable from <a class="ref" href="updating-showing-and-deleting-users.html#code-initial_edit_action">Listing&nbsp;9.2</a>, the edit page tests from <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_specs">Listing&nbsp;9.1</a> should pass:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/requests/user_pages_spec.rb -e <span class="s2">&quot;edit page&quot;</span>
</pre></div>
</div>


<p>The corresponding page appears in <a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_page">Figure&nbsp;9.2</a>, which shows how Rails automatically pre-fills the Name and Email fields using the attributes of the <code>@user</code> variable.</p>

<div class="label" id="fig-edit_page"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/edit_page_bootstrap.png" alt="edit_page_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.2: </span><span class="description">The initial user edit page with pre-filled name &amp; email.&nbsp;<a href="http://railstutorial.org/images/figures/edit_page_bootstrap-full.png">(full size)</a></span></div></div>


<p>Looking at the HTML source for <a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_page">Figure&nbsp;9.2</a>, we see a form tag as expected (<a class="ref" href="updating-showing-and-deleting-users.html#code-edit_form_html">Listing&nbsp;9.4</a>).</p>

<div class="label" id="code-edit_form_html"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.4.</span> <span class="description">HTML for the edit form defined in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_view">Listing&nbsp;9.3</a> and shown in <a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_page">Figure&nbsp;9.2</a>.</span> </div>
<div class="code"><div class="highlight"><pre><span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">&quot;/users/1&quot;</span> <span class="na">class=</span><span class="s">&quot;edit_user&quot;</span> <span class="na">id=</span><span class="s">&quot;edit_user_1&quot;</span> <span class="na">method=</span><span class="s">&quot;post&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">&quot;_method&quot;</span> <span class="na">type=</span><span class="s">&quot;hidden&quot;</span> <span class="na">value=</span><span class="s">&quot;patch&quot;</span> <span class="nt">/&gt;</span>
  .
  .
  .
<span class="nt">&lt;/form&gt;</span>
</pre></div>
</div></div>


<p>Note here the hidden input field</p>

<div class="code"><div class="highlight"><pre><span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">&quot;_method&quot;</span> <span class="na">type=</span><span class="s">&quot;hidden&quot;</span> <span class="na">value=</span><span class="s">&quot;patch&quot;</span> <span class="nt">/&gt;</span>
</pre></div>
</div>


<p>Since web browsers can&rsquo;t natively send <tt>PATCH</tt> requests (as required by the REST conventions from <a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>), Rails fakes it with a <tt>POST</tt> request and a hidden <code>input</code> field.<sup class="footnote" id="fnref-9_3"><a href="#fn-9_3">3</a></sup></p>

<p>There&rsquo;s another subtlety to address here: the code <code>form_for(@user)</code> in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_view">Listing&nbsp;9.3</a> is <em>exactly</em> the same as the code in <a class="ref" href="sign-up.html#code-signup_form">Listing&nbsp;7.17</a>&mdash;so how does Rails know to use a <tt>POST</tt> request for new users and a <tt>PATCH</tt> for editing users? The answer is that it is possible to tell whether a user is new or already exists in the database via Active Record&rsquo;s <code>new_record?</code> boolean method:</p>

<div class="code"><div class="highlight"><pre><span class="go">$ rails console</span>
<span class="gp">&gt;&gt; </span><span class="no">User</span><span class="o">.</span><span class="n">new</span><span class="o">.</span><span class="n">new_record?</span>
<span class="go">=&gt; true</span>
<span class="gp">&gt;&gt; </span><span class="no">User</span><span class="o">.</span><span class="n">first</span><span class="o">.</span><span class="n">new_record?</span>
<span class="go">=&gt; false</span>
</pre></div>
</div>


<p>When constructing a form using <code>form_for(@user)</code>, Rails uses <tt>POST</tt> if <code>@user.new_record?</code> is <code>true</code> and <tt>PATCH</tt> if it is <code>false</code>.</p>

<p>As a final touch, we&rsquo;ll add a URL to the user settings link to the site navigation. Since it depends on the signin status of the user, the test for the &ldquo;Settings&rdquo; link belongs with the other authentication tests, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-settings_link_test">Listing&nbsp;9.5</a>. (It would be nice to have additional tests verifying that such links <em>don&rsquo;t</em> appear for users who aren&rsquo;t signed in; writing these tests is left as an exercise (<a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises">Section&nbsp;9.6</a>).)</p>

<div class="label" id="code-settings_link_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.5.</span> <span class="description">Adding a test for the &ldquo;Settings&rdquo; link. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="n">describe</span> <span class="s2">&quot;with valid information&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">before</span> <span class="p">{</span> <span class="n">sign_in</span> <span class="n">user</span> <span class="p">}</span>

      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Profile&#39;</span><span class="p">,</span>     <span class="ss">href:</span> <span class="n">user_path</span><span class="p">(</span><span class="n">user</span><span class="p">))</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Settings&#39;</span><span class="p">,</span>    <span class="ss">href:</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">))</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Sign out&#39;</span><span class="p">,</span>    <span class="ss">href:</span> <span class="n">signout_path</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Sign in&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">signin_path</span><span class="p">)</span> <span class="p">}</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>For convenience, the code in <a class="ref" href="updating-showing-and-deleting-users.html#code-settings_link_test">Listing&nbsp;9.5</a> uses a helper to sign in a user inside the tests. The method is to visit the signin page and submit valid information, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-sign_in_helper">Listing&nbsp;9.6</a>.</p>

<div class="label" id="code-sign_in_helper"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.6.</span> <span class="description">A test helper to sign users in. <br /> <code>spec/support/utilities.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="o">.</span>
<span class="o">.</span>
<span class="o">.</span>
<span class="k">def</span> <span class="nf">sign_in</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">options</span><span class="o">=</span><span class="p">{})</span>
  <span class="k">if</span> <span class="n">options</span><span class="o">[</span><span class="ss">:no_capybara</span><span class="o">]</span>
    <span class="c1"># Sign in when not using Capybara.</span>
    <span class="n">remember_token</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">new_remember_token</span>
    <span class="n">cookies</span><span class="o">[</span><span class="ss">:remember_token</span><span class="o">]</span> <span class="o">=</span> <span class="n">remember_token</span>
    <span class="n">user</span><span class="o">.</span><span class="n">update_attribute</span><span class="p">(</span><span class="ss">:remember_token</span><span class="p">,</span> <span class="no">User</span><span class="o">.</span><span class="n">hash</span><span class="p">(</span><span class="n">remember_token</span><span class="p">))</span>
  <span class="k">else</span>
    <span class="n">visit</span> <span class="n">signin_path</span>
    <span class="n">fill_in</span> <span class="s2">&quot;Email&quot;</span><span class="p">,</span>    <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">email</span>
    <span class="n">fill_in</span> <span class="s2">&quot;Password&quot;</span><span class="p">,</span> <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span>
    <span class="n">click_button</span> <span class="s2">&quot;Sign in&quot;</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>As noted in the comment line, filling in the form doesn&rsquo;t work when not using Capybara, so to cover this case we allow the user to pass the option <code>no_capybara: true</code> to override the default signin method and manipulate the cookies directly. This is necessary when using one of the HTTP request methods directly (<code>get</code>, <code>post</code>, <code>patch</code>, or <code>delete</code>), as we&rsquo;ll see in <a class="ref" href="updating-showing-and-deleting-users.html#code-delete_destroy_test">Listing&nbsp;9.45</a>. (Note that the test <code>cookies</code> object isn&rsquo;t a perfect simulation of the real cookies object; in particular, the <code>cookies.permanent</code> method seen in <a class="ref" href="sign-in-sign-out.html#code-sign_in_function">Listing&nbsp;8.19</a> doesn&rsquo;t work inside tests.) As you might suspect, the <code>sign_in</code> method will prove useful in future tests, and in fact it can already be used to eliminate some duplication (<a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises">Section&nbsp;9.6</a>).</p>

<p>The application code to add the URL for the &ldquo;Settings&rdquo; link is simple: we just use the named route <code>edit_user_path</code> from <a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>, together with the handy <code>current_user</code> helper method defined in <a class="ref" href="sign-in-sign-out.html#code-current_user_working">Listing&nbsp;8.22</a>:</p>

<div class="code"><div class="highlight"><pre><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Settings&quot;</span><span class="p">,</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">current_user</span><span class="p">)</span> <span class="cp">%&gt;</span>
</pre></div>
</div>


<p>The full application code appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-settings_link">Listing&nbsp;9.7</a>).</p>

<div class="label" id="code-settings_link"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.7.</span> <span class="description">Adding a &ldquo;Settings&rdquo; link. <br /> <code>app/views/layouts/_header.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nt">&lt;header</span> <span class="na">class=</span><span class="s">&quot;navbar navbar-fixed-top navbar-inverse&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;navbar-inner&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;container&quot;</span><span class="nt">&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;sample app&quot;</span><span class="p">,</span> <span class="n">root_path</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="s2">&quot;logo&quot;</span> <span class="cp">%&gt;</span>
      <span class="nt">&lt;nav&gt;</span>
        <span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;nav pull-right&quot;</span><span class="nt">&gt;</span>
          <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Home&quot;</span><span class="p">,</span> <span class="n">root_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
          <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Help&quot;</span><span class="p">,</span> <span class="n">help_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
          <span class="cp">&lt;%</span> <span class="k">if</span> <span class="n">signed_in?</span> <span class="cp">%&gt;</span>
            <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Users&quot;</span><span class="p">,</span> <span class="s1">&#39;#&#39;</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
            <span class="nt">&lt;li</span> <span class="na">id=</span><span class="s">&quot;fat-menu&quot;</span> <span class="na">class=</span><span class="s">&quot;dropdown&quot;</span><span class="nt">&gt;</span>
              <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">&quot;#&quot;</span> <span class="na">class=</span><span class="s">&quot;dropdown-toggle&quot;</span> <span class="na">data-toggle=</span><span class="s">&quot;dropdown&quot;</span><span class="nt">&gt;</span>
                Account <span class="nt">&lt;b</span> <span class="na">class=</span><span class="s">&quot;caret&quot;</span><span class="nt">&gt;&lt;/b&gt;</span>
              <span class="nt">&lt;/a&gt;</span>
              <span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;dropdown-menu&quot;</span><span class="nt">&gt;</span>
                <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Profile&quot;</span><span class="p">,</span> <span class="n">current_user</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
                <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Settings&quot;</span><span class="p">,</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">current_user</span><span class="p">)</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
                <span class="nt">&lt;li</span> <span class="na">class=</span><span class="s">&quot;divider&quot;</span><span class="nt">&gt;&lt;/li&gt;</span>
                <span class="nt">&lt;li&gt;</span>
                  <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Sign out&quot;</span><span class="p">,</span> <span class="n">signout_path</span><span class="p">,</span> <span class="nb">method</span><span class="p">:</span> <span class="s2">&quot;delete&quot;</span> <span class="cp">%&gt;</span>
                <span class="nt">&lt;/li&gt;</span>
              <span class="nt">&lt;/ul&gt;</span>
            <span class="nt">&lt;/li&gt;</span>
          <span class="cp">&lt;%</span> <span class="k">else</span> <span class="cp">%&gt;</span>
            <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Sign in&quot;</span><span class="p">,</span> <span class="n">signin_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
          <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
        <span class="nt">&lt;/ul&gt;</span>
      <span class="nt">&lt;/nav&gt;</span>
    <span class="nt">&lt;/div&gt;</span>
  <span class="nt">&lt;/div&gt;</span>
<span class="nt">&lt;/header&gt;</span>
</pre></div>
</div></div>




<div class="label" id="sec-unsuccessful_edits"></div>


<h3><a id="sec-9_1_2" href="updating-showing-and-deleting-users.html#sec-unsuccessful_edits" class="heading"><span class="number">9.1.2</span> Unsuccessful edits</a></h3>


<p>In this section we&rsquo;ll handle unsuccessful edits and get the error messages test in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_specs">Listing&nbsp;9.1</a> to pass. The application code creates an <code>update</code> action that uses <code>update_attributes</code> (<a class="ref" href="modeling-users.html#sec-updating_user_objects">Section&nbsp;6.1.5</a>) to update the user based on the submitted <code>params</code> hash, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_action_unsuccessful">Listing&nbsp;9.8</a>. With invalid information, the update attempt returns <code>false</code>, so the <code>else</code> branch re-renders the edit page. We&rsquo;ve seen this pattern before; the structure closely parallels the first version of the <code>create</code> action (<a class="ref" href="sign-up.html#code-first_create_action">Listing&nbsp;7.21</a>).</p>

<div class="label" id="code-user_update_action_unsuccessful"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.8.</span> <span class="description">The initial user <code>update</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">edit</span>
    <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
  <span class="k">end</span>

  <span class="k">def</span> <span class="nf">update</span>
    <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
    <span class="k">if</span> <span class="vi">@user</span><span class="o">.</span><span class="n">update_attributes</span><span class="p">(</span><span class="n">user_params</span><span class="p">)</span>
      <span class="c1"># Handle a successful update.</span>
    <span class="k">else</span>
      <span class="n">render</span> <span class="s1">&#39;edit&#39;</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Note the use of <code>user_params</code> in the call to <code>update_attributes</code>, which uses strong parameters to prevent mass assignment vulnerability (as described in <a class="ref" href="sign-up.html#sec-strong_parameters">Section&nbsp;7.3.2</a>).</p>

<p>The resulting error message (<a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_with_invalid_information">Figure&nbsp;9.3</a>) is the one needed to get the error message test to pass, as you should verify by running the test suite:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>


<div class="label" id="fig-edit_with_invalid_information"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/edit_with_invalid_information_bootstrap.png" alt="edit_with_invalid_information_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.3: </span><span class="description">Error message from submitting the update form.&nbsp;<a href="http://railstutorial.org/images/figures/edit_with_invalid_information_bootstrap-full.png">(full size)</a></span></div></div>




<div class="label" id="sec-successful_edits"></div>


<h3><a id="sec-9_1_3" href="updating-showing-and-deleting-users.html#sec-successful_edits" class="heading"><span class="number">9.1.3</span> Successful edits</a></h3>


<p>Now it&rsquo;s time to get the edit form to work. Editing the profile images is already functional since we&rsquo;ve outsourced image upload to Gravatar; we can edit gravatars by clicking on the &ldquo;change&rdquo; link from <a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_page">Figure&nbsp;9.2</a>, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#fig-gravatar_cropper">Figure&nbsp;9.4</a>. Let&rsquo;s get the rest of the user edit functionality working as well.</p>

<div class="label" id="fig-gravatar_cropper"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/gravatar_cropper.png" alt="gravatar_cropper" /></span></div><div class="caption"><span class="header">Figure 9.4: </span><span class="description">The  <a href="http://gravatar.com/">Gravatar</a> image-cropping interface, with a picture of <a href="http://michaelhartl.com/">some dude</a>.</span></div></div>


<p>The tests for the <code>update</code> action are similar to those for <code>create</code>. <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_specs">Listing&nbsp;9.9</a> shows how to use Capybara to fill in the form fields with valid information and then test that the resulting behavior is correct. This is a lot of code; see if you can work through it by referring back to the tests in <a class="ref" href="sign-up.html#top">Chapter&nbsp;7</a>.</p>

<div class="label" id="code-user_update_specs"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.9.</span> <span class="description">Tests for the user <code>update</code> action. <br /> <code>spec/requests/user_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;User pages&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;edit&quot;</span> <span class="k">do</span>
    <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
    <span class="n">before</span> <span class="k">do</span>
      <span class="n">sign_in</span> <span class="n">user</span>
      <span class="n">visit</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span>
    <span class="k">end</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="n">describe</span> <span class="s2">&quot;with valid information&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:new_name</span><span class="p">)</span>  <span class="p">{</span> <span class="s2">&quot;New Name&quot;</span> <span class="p">}</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:new_email</span><span class="p">)</span> <span class="p">{</span> <span class="s2">&quot;new@example.com&quot;</span> <span class="p">}</span>
      <span class="n">before</span> <span class="k">do</span>
        <span class="n">fill_in</span> <span class="s2">&quot;Name&quot;</span><span class="p">,</span>             <span class="ss">with:</span> <span class="n">new_name</span>
        <span class="n">fill_in</span> <span class="s2">&quot;Email&quot;</span><span class="p">,</span>            <span class="ss">with:</span> <span class="n">new_email</span>
        <span class="n">fill_in</span> <span class="s2">&quot;Password&quot;</span><span class="p">,</span>         <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span>
        <span class="n">fill_in</span> <span class="s2">&quot;Confirm Password&quot;</span><span class="p">,</span> <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span>
        <span class="n">click_button</span> <span class="s2">&quot;Save changes&quot;</span>
      <span class="k">end</span>

      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="n">new_name</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_selector</span><span class="p">(</span><span class="s1">&#39;div.alert.alert-success&#39;</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Sign out&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">signout_path</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">reload</span><span class="o">.</span><span class="n">name</span><span class="p">)</span><span class="o">.</span><span class="n">to</span>  <span class="n">eq</span> <span class="n">new_name</span> <span class="p">}</span>
      <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">reload</span><span class="o">.</span><span class="n">email</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">eq</span> <span class="n">new_email</span> <span class="p">}</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Note that <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_specs">Listing&nbsp;9.9</a> adds the <code>sign_in</code> method from <a class="ref" href="updating-showing-and-deleting-users.html#code-sign_in_helper">Listing&nbsp;9.6</a> to the <code>before</code> block, which is required for the &ldquo;Sign out&rdquo; link test to pass, and also anticipates protecting the <code>edit</code> action from non-signed-in users (<a class="ref" href="updating-showing-and-deleting-users.html#sec-requiring_signed_in_users">Section&nbsp;9.2.1</a>).</p>

<p>The only real novelty in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_specs">Listing&nbsp;9.9</a> is the <code>reload</code> method, which appears in the test for changing the user&rsquo;s attributes:</p>

<div class="code"><div class="highlight"><pre><span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">reload</span><span class="o">.</span><span class="n">name</span><span class="p">)</span><span class="o">.</span><span class="n">to</span>  <span class="n">eq</span> <span class="n">new_name</span> <span class="p">}</span>
<span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">reload</span><span class="o">.</span><span class="n">email</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">eq</span> <span class="n">new_email</span> <span class="p">}</span>
</pre></div>
</div>


<p>This reloads the <code>user</code> variable from the test database using <code>user.reload</code>, and then verifies that the user&rsquo;s new name and email match the new values.</p>

<p>The <code>update</code> action needed to get the tests in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_specs">Listing&nbsp;9.9</a> to pass is similar to the final form of the <code>create</code> action (<a class="ref" href="sign-in-sign-out.html#code-signin_upon_signup">Listing&nbsp;8.27</a>), as seen in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_action">Listing&nbsp;9.10</a>. All this does is add</p>

<div class="code"><div class="highlight"><pre><span class="n">flash</span><span class="o">[</span><span class="ss">:success</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;Profile updated&quot;</span>
<span class="n">redirect_to</span> <span class="vi">@user</span>
</pre></div>
</div>


<p>to the code in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_update_action_unsuccessful">Listing&nbsp;9.8</a>.</p>

<div class="label" id="code-user_update_action"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.10.</span> <span class="description">The user <code>update</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">update</span>
    <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
    <span class="k">if</span> <span class="vi">@user</span><span class="o">.</span><span class="n">update_attributes</span><span class="p">(</span><span class="n">user_params</span><span class="p">)</span>
      <span class="n">flash</span><span class="o">[</span><span class="ss">:success</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;Profile updated&quot;</span>
      <span class="n">redirect_to</span> <span class="vi">@user</span>
    <span class="k">else</span>
      <span class="n">render</span> <span class="s1">&#39;edit&#39;</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Note that, as currently constructed, every edit requires the user to reconfirm the password (as implied by the empty confirmation text box in <a class="ref" href="updating-showing-and-deleting-users.html#fig-edit_page">Figure&nbsp;9.2</a>), which is a minor annoyance but is easier to code and decreases the likelihood of submitting a password with a typo.</p>

<p>With the code in this section, the user edit page should be working, as you can double-check by re-running the test suite, which should now be green:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-authorization"></div>


<h2><a id="sec-9_2" href="updating-showing-and-deleting-users.html#sec-authorization" class="heading"><span class="number">9.2</span> Authorization</a></h2>


<p>One nice effect of building the authentication machinery in <a class="ref" href="sign-in-sign-out.html#top">Chapter&nbsp;8</a> is that we are now in a position to implement authorization as well: <em>authentication</em> allows us to identify users of our site, and <em>authorization</em> lets us control what they can do.</p>

<p>Although the edit and update actions from <a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_users">Section&nbsp;9.1</a> are functionally complete, they suffer from a ridiculous security flaw: they allow anyone (even non-signed-in users) to access either action, and any signed-in user can update the information for any other user. In this section, we&rsquo;ll implement a security model that requires users to be signed in and prevents them from updating any information other than their own. Users who aren&rsquo;t signed in and who try to access protected pages will be forwarded to the signin page with a helpful message, as mocked up in <a class="ref" href="updating-showing-and-deleting-users.html#fig-signin_page_protected_mockup">Figure&nbsp;9.5</a>.</p>

<div class="label" id="fig-signin_page_protected_mockup"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/signin_page_protected_mockup_bootstrap.png" alt="signin_page_protected_mockup_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.5: </span><span class="description">A mockup of the result of visiting a protected page&nbsp;<a href="http://railstutorial.org/images/figures/signin_page_protected_mockup_bootstrap-full.png">(full size)</a></span></div></div>




<div class="label" id="sec-requiring_signed_in_users"></div>


<h3><a id="sec-9_2_1" href="updating-showing-and-deleting-users.html#sec-requiring_signed_in_users" class="heading"><span class="number">9.2.1</span> Requiring signed-in users</a></h3>


<p>Since the security restrictions for the <code>edit</code> and <code>update</code> actions are identical, we&rsquo;ll handle them in a single RSpec <code>describe</code> block. Starting with the sign-in requirement, our initial tests verify that non-signed-in users attempting to access either action are simply sent to the signin page, as seen in <a class="ref" href="updating-showing-and-deleting-users.html#code-protected_edit_update_tests">Listing&nbsp;9.11</a>.</p>

<div class="label" id="code-protected_edit_update_tests"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.11.</span> <span class="description">Testing that the <code>edit</code> and <code>update</code> actions are protected. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;authorization&quot;</span> <span class="k">do</span>

    <span class="n">describe</span> <span class="s2">&quot;for non-signed-in users&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>

      <span class="n">describe</span> <span class="s2">&quot;in the Users controller&quot;</span> <span class="k">do</span>

        <span class="n">describe</span> <span class="s2">&quot;visiting the edit page&quot;</span> <span class="k">do</span>
          <span class="n">before</span> <span class="p">{</span> <span class="n">visit</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">}</span>
          <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;Sign in&#39;</span><span class="p">)</span> <span class="p">}</span>
        <span class="k">end</span>

        <span class="n">describe</span> <span class="s2">&quot;submitting to the update action&quot;</span> <span class="k">do</span>
          <span class="n">before</span> <span class="p">{</span> <span class="n">patch</span> <span class="n">user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">}</span>
          <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">signin_path</span><span class="p">)</span> <span class="p">}</span>
        <span class="k">end</span>
      <span class="k">end</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The code in <a class="ref" href="updating-showing-and-deleting-users.html#code-protected_edit_update_tests">Listing&nbsp;9.11</a> introduces a second way, apart from Capybara&rsquo;s <code>visit</code> method, to access a controller action: by issuing the appropriate HTTP request directly, in this case using the <code>patch</code> method to issue a <tt>PATCH</tt> request:</p>

<div class="code"><div class="highlight"><pre><span class="n">describe</span> <span class="s2">&quot;submitting to the update action&quot;</span> <span class="k">do</span>
  <span class="n">before</span> <span class="p">{</span> <span class="n">patch</span> <span class="n">user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">}</span>
  <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">signin_path</span><span class="p">)</span> <span class="p">}</span>
<span class="k">end</span>
</pre></div>
</div>


<p>This issues a <tt>PATCH</tt> request directly to <code>/users/1</code>, which gets routed to the <code>update</code> action of the Users controller (<a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>). This is necessary because there is no way for a browser to visit the <code>update</code> action directly&mdash;it can only get there indirectly by submitting the edit form&mdash;so Capybara can&rsquo;t do it either. But visiting the edit page only tests the authorization for the <code>edit</code> action, not for <code>update</code>. As a result, the only way to test the proper authorization for the <code>update</code> action itself is to issue a direct request. (As you might guess, in addition to <code>patch</code> Rails tests support <code>get</code>, <code>post</code>, and <code>delete</code> as well.)</p>

<p>When using one of the methods to issue HTTP requests directly, we get access to the low-level <code>response</code> object. Unlike the Capybara <code>page</code> object, <code>response</code> lets us test for the server response itself, in this case verifying that the <code>update</code> action responds by redirecting to the signin page:</p>

<div class="code"><div class="highlight"><pre><span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">signin_path</span><span class="p">)</span> <span class="p">}</span>
</pre></div>
</div>


<p>The authorization application code uses a <em>before filter</em>, which uses the <code>before_action</code> command to arrange for a particular method to be called before the given actions. (The command for before filters used to be called <code>before_filter</code>, but the Rails core team decided to rename it to emphasize that the filter takes place before particular controller actions.) To require users to be signed in, we define a <code>signed_in_user</code> method and invoke it using <code>before_action :signed_in_user</code>, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-authorize_before_filter">Listing&nbsp;9.12</a>.</p>

<div class="label" id="code-authorize_before_filter"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.12.</span> <span class="description">Adding a <code>signed_in_user</code> before filter. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="kp">private</span>

    <span class="k">def</span> <span class="nf">user_params</span>
      <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:name</span><span class="p">,</span> <span class="ss">:email</span><span class="p">,</span> <span class="ss">:password</span><span class="p">,</span>
                                   <span class="ss">:password_confirmation</span><span class="p">)</span>
    <span class="k">end</span>

    <span class="c1"># Before filters</span>

    <span class="k">def</span> <span class="nf">signed_in_user</span>
      <span class="n">redirect_to</span> <span class="n">signin_url</span><span class="p">,</span> <span class="ss">notice:</span> <span class="s2">&quot;Please sign in.&quot;</span> <span class="k">unless</span> <span class="n">signed_in?</span>
    <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>By default, before filters apply to <em>every</em> action in a controller, so here we restrict the filter to act only on the <code>:edit</code> and <code>:update</code> actions by passing the appropriate <code>:only</code> options hash.</p>

<p>Note that <a class="ref" href="updating-showing-and-deleting-users.html#code-authorize_before_filter">Listing&nbsp;9.12</a> uses a shortcut for setting <code>flash[:notice]</code> by passing an options hash to the <code>redirect_to</code> function. The code in <a class="ref" href="updating-showing-and-deleting-users.html#code-authorize_before_filter">Listing&nbsp;9.12</a> is equivalent to the more verbose</p>

<div class="code"><div class="highlight"><pre><span class="k">unless</span> <span class="n">signed_in?</span>
  <span class="n">flash</span><span class="o">[</span><span class="ss">:notice</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;Please sign in.&quot;</span>
  <span class="n">redirect_to</span> <span class="n">signin_url</span>
<span class="k">end</span>
</pre></div>
</div>


<p>(Unfortunately, the same construction doesn&rsquo;t work for the <code>:error</code> or <code>:success</code> keys.)</p>

<p>Together with <code>:success</code> and <code>:error</code>, the <code>:notice</code> key completes our triumvirate of <code>flash</code> styles, all of which are supported natively by Bootstrap CSS. By signing out and attempting to access the user edit page <a href="http://localhost:3000/users/1/edit">/users/1/edit</a>, we can see the resulting yellow &ldquo;notice&rdquo;  box, as seen in <a class="ref" href="updating-showing-and-deleting-users.html#fig-protected_sign_in">Figure&nbsp;9.6</a>.</p>

<div class="label" id="fig-protected_sign_in"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/protected_sign_in_bootstrap.png" alt="protected_sign_in_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.6: </span><span class="description">The signin form after trying to access a protected page.&nbsp;<a href="http://railstutorial.org/images/figures/protected_sign_in_bootstrap-full.png">(full size)</a></span></div></div>


<p>At this point, our test suite should be green:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-requiring_the_right_user"></div>


<h3><a id="sec-9_2_2" href="updating-showing-and-deleting-users.html#sec-requiring_the_right_user" class="heading"><span class="number">9.2.2</span> Requiring the right user</a></h3>


<p>Of course, requiring users to sign in isn&rsquo;t quite enough; users should only be allowed to edit their <em>own</em> information. We can test for this by first signing in as an incorrect user and then hitting the <code>edit</code> and <code>update</code> actions (<a class="ref" href="updating-showing-and-deleting-users.html#code-edit_update_wrong_user_tests">Listing&nbsp;9.13</a>). Note that, because we&rsquo;re not using Capybara for these tests (<code>no_capybara: true</code>), we use the <code>get</code> and <code>patch</code> methods to hit the <code>edit</code> and <code>update</code> actions directly. In addition, because users should never even <em>try</em> to edit another user&rsquo;s profile, upon detecting unauthorized access we redirect to the root URL rather than to the signin page.</p>

<div class="label" id="code-edit_update_wrong_user_tests"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.13.</span> <span class="description">Testing that the <code>edit</code> and <code>update</code> actions require the right user. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;authorization&quot;</span> <span class="k">do</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="n">describe</span> <span class="s2">&quot;as wrong user&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:wrong_user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">,</span> <span class="ss">email:</span> <span class="s2">&quot;wrong@example.com&quot;</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">before</span> <span class="p">{</span> <span class="n">sign_in</span> <span class="n">user</span><span class="p">,</span> <span class="ss">no_capybara:</span> <span class="kp">true</span> <span class="p">}</span>

      <span class="n">describe</span> <span class="s2">&quot;submitting a GET request to the Users#edit action&quot;</span> <span class="k">do</span>
        <span class="n">before</span> <span class="p">{</span> <span class="n">get</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">wrong_user</span><span class="p">)</span> <span class="p">}</span>
        <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="o">.</span><span class="n">body</span><span class="p">)</span><span class="o">.</span><span class="n">not_to</span> <span class="n">match</span><span class="p">(</span><span class="n">full_title</span><span class="p">(</span><span class="s1">&#39;Edit user&#39;</span><span class="p">))</span> <span class="p">}</span>
        <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">root_url</span><span class="p">)</span> <span class="p">}</span>
      <span class="k">end</span>

      <span class="n">describe</span> <span class="s2">&quot;submitting a PATCH request to the Users#update action&quot;</span> <span class="k">do</span>
        <span class="n">before</span> <span class="p">{</span> <span class="n">patch</span> <span class="n">user_path</span><span class="p">(</span><span class="n">wrong_user</span><span class="p">)</span> <span class="p">}</span>
        <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">root_url</span><span class="p">)</span> <span class="p">}</span>
      <span class="k">end</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Note here that a factory can take an option:</p>

<div class="code"><div class="highlight"><pre><span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">,</span> <span class="ss">email:</span> <span class="s2">&quot;wrong@example.com&quot;</span><span class="p">)</span>
</pre></div>
</div>


<p>This creates a user with a different email address from the default. The tests specify that the original user should not have access to the wrong user&rsquo;s <code>edit</code> or <code>update</code> actions.</p>

<p>The application code adds a second before filter to call the <code>correct_user</code> method, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-correct_user_before_filter">Listing&nbsp;9.14</a>.</p>

<div class="label" id="code-correct_user_before_filter"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.14.</span> <span class="description">A <code>correct_user</code> before filter to protect the edit/update pages. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="n">before_action</span> <span class="ss">:correct_user</span><span class="p">,</span>   <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">edit</span>
  <span class="k">end</span>

  <span class="k">def</span> <span class="nf">update</span>
    <span class="k">if</span> <span class="vi">@user</span><span class="o">.</span><span class="n">update_attributes</span><span class="p">(</span><span class="n">user_params</span><span class="p">)</span>
      <span class="n">flash</span><span class="o">[</span><span class="ss">:success</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;Profile updated&quot;</span>
      <span class="n">redirect_to</span> <span class="vi">@user</span>
    <span class="k">else</span>
      <span class="n">render</span> <span class="s1">&#39;edit&#39;</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="kp">private</span>

    <span class="k">def</span> <span class="nf">user_params</span>
      <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:name</span><span class="p">,</span> <span class="ss">:email</span><span class="p">,</span> <span class="ss">:password</span><span class="p">,</span>
                                   <span class="ss">:password_confirmation</span><span class="p">)</span>
    <span class="k">end</span>

    <span class="c1"># Before filters</span>

    <span class="k">def</span> <span class="nf">signed_in_user</span>
      <span class="n">redirect_to</span> <span class="n">signin_url</span><span class="p">,</span> <span class="ss">notice:</span> <span class="s2">&quot;Please sign in.&quot;</span> <span class="k">unless</span> <span class="n">signed_in?</span>
    <span class="k">end</span>

    <span class="k">def</span> <span class="nf">correct_user</span>
      <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
      <span class="n">redirect_to</span><span class="p">(</span><span class="n">root_url</span><span class="p">)</span> <span class="k">unless</span> <span class="n">current_user?</span><span class="p">(</span><span class="vi">@user</span><span class="p">)</span>
    <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The <code>correct_user</code> filter uses the <code>current_user?</code> boolean method, which  we define in the Sessions helper (<a class="ref" href="updating-showing-and-deleting-users.html#code-current_user_p">Listing&nbsp;9.15</a>).</p>

<div class="label" id="code-current_user_p"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.15.</span> <span class="description">The <code>current_user?</code> method. <br /> <code>app/helpers/sessions_helper.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">module</span> <span class="nn">SessionsHelper</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">current_user</span>
    <span class="n">remember_token</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">hash</span><span class="p">(</span><span class="n">cookies</span><span class="o">[</span><span class="ss">:remember_token</span><span class="o">]</span><span class="p">)</span>
    <span class="vi">@current_user</span> <span class="o">||=</span> <span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">remember_token:</span> <span class="n">remember_token</span><span class="p">)</span>
  <span class="k">end</span>

  <span class="k">def</span> <span class="nf">current_user?</span><span class="p">(</span><span class="n">user</span><span class="p">)</span>
    <span class="n">user</span> <span class="o">==</span> <span class="n">current_user</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p><a class="ref" href="updating-showing-and-deleting-users.html#code-correct_user_before_filter">Listing&nbsp;9.14</a> also shows the updated <code>edit</code> and <code>update</code> actions. Before, in <a class="ref" href="updating-showing-and-deleting-users.html#code-initial_edit_action">Listing&nbsp;9.2</a>, we had</p>

<div class="code"><div class="highlight"><pre><span class="k">def</span> <span class="nf">edit</span>
  <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
<span class="k">end</span>
</pre></div>
</div>


<p>and similarly for <code>update</code>. Now that the <code>correct_user</code> before filter defines <code>@user</code>, we can omit it from both actions.</p>

<p>Before moving on, you should verify that the test suite passes:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-friendly_forwarding"></div>


<h3><a id="sec-9_2_3" href="updating-showing-and-deleting-users.html#sec-friendly_forwarding" class="heading"><span class="number">9.2.3</span> Friendly forwarding</a></h3>


<p>Our site authorization is complete as written, but there is one minor blemish: when users try to access a protected page, they are currently redirected to their profile pages regardless of where they were trying to go. In other words, if a non-logged-in user tries to visit the edit page, after signing in the user will be redirected to /users/1 instead of /users/1/edit. It would be much friendlier to redirect them to their intended destination instead.</p>

<p>To test for such &ldquo;friendly forwarding&rdquo;, we first visit the user edit page, which redirects to the signin page. We then enter valid signin information and click the &ldquo;Sign in&rdquo; button. The resulting page, which by default is the user&rsquo;s profile, should in this case be the &ldquo;Edit user&rdquo; page. The test for this sequence appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_forwarding_test">Listing&nbsp;9.16</a>.</p>

<div class="label" id="code-friendly_forwarding_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.16.</span> <span class="description">A test for friendly forwarding. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;authorization&quot;</span> <span class="k">do</span>

    <span class="n">describe</span> <span class="s2">&quot;for non-signed-in users&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>

      <span class="n">describe</span> <span class="s2">&quot;when attempting to visit a protected page&quot;</span> <span class="k">do</span>
        <span class="n">before</span> <span class="k">do</span>
          <span class="n">visit</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span>
          <span class="n">fill_in</span> <span class="s2">&quot;Email&quot;</span><span class="p">,</span>    <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">email</span>
          <span class="n">fill_in</span> <span class="s2">&quot;Password&quot;</span><span class="p">,</span> <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span>
          <span class="n">click_button</span> <span class="s2">&quot;Sign in&quot;</span>
        <span class="k">end</span>

        <span class="n">describe</span> <span class="s2">&quot;after signing in&quot;</span> <span class="k">do</span>

          <span class="n">it</span> <span class="s2">&quot;should render the desired protected page&quot;</span> <span class="k">do</span>
            <span class="n">expect</span><span class="p">(</span><span class="n">page</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;Edit user&#39;</span><span class="p">)</span>
          <span class="k">end</span>
        <span class="k">end</span>
      <span class="k">end</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
    <span class="k">end</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Now for the implementation.<sup class="footnote" id="fnref-9_4"><a href="#fn-9_4">4</a></sup> In order to forward users to their intended destination, we need to store the location of the requested page somewhere, and then redirect to that location instead. We accomplish this with a pair of methods, <code>store_location</code> and <code>redirect_back_or</code>, both defined in the Sessions helper (<a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_forwarding_code">Listing&nbsp;9.17</a>).</p>

<div class="label" id="code-friendly_forwarding_code"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.17.</span> <span class="description">Code to implement friendly forwarding. <br /> <code>app/helpers/sessions_helper.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">module</span> <span class="nn">SessionsHelper</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">redirect_back_or</span><span class="p">(</span><span class="n">default</span><span class="p">)</span>
    <span class="n">redirect_to</span><span class="p">(</span><span class="n">session</span><span class="o">[</span><span class="ss">:return_to</span><span class="o">]</span> <span class="o">||</span> <span class="n">default</span><span class="p">)</span>
    <span class="n">session</span><span class="o">.</span><span class="n">delete</span><span class="p">(</span><span class="ss">:return_to</span><span class="p">)</span>
  <span class="k">end</span>

  <span class="k">def</span> <span class="nf">store_location</span>
    <span class="n">session</span><span class="o">[</span><span class="ss">:return_to</span><span class="o">]</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">url</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">get?</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The storage mechanism is the <code>session</code> facility provided by Rails, which you can think of as being like an instance of the <code>cookies</code> variable from <a class="ref" href="sign-in-sign-out.html#sec-remember_me">Section&nbsp;8.2.1</a> that automatically expires upon browser close. We also use the <code>request</code> object to get the <code>url</code>, i.e., the URL of the requested page. The <code>store_location</code> method puts the requested URL in the <code>session</code> variable under the key <code>:return_to</code>, but only for a <code>GET</code> request (<code>if request.get?</code>). This prevents storing the forwarding URL if a user, say, submits a form when not logged in (which is an edge case but could happen if, e.g., a user deleted the remember token by hand before submitting the form); in this case, the resulting redirect would issue a <code>GET</code> request to a URL expecting <code>POST</code>, <code>PATCH</code>, or <code>DELETE</code>, thereby causing an error.<sup class="footnote" id="fnref-9_5"><a href="#fn-9_5">5</a></sup></p>

<p>To make use of <code>store_location</code>, we need to add it to the <code>signed_in_user</code> before filter, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-add_store_location">Listing&nbsp;9.18</a>.</p>

<div class="label" id="code-add_store_location"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.18.</span> <span class="description">Adding <code>store_location</code> to the signed-in user before filter. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="n">before_action</span> <span class="ss">:correct_user</span><span class="p">,</span>   <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">edit</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="kp">private</span>

    <span class="k">def</span> <span class="nf">user_params</span>
      <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:name</span><span class="p">,</span> <span class="ss">:email</span><span class="p">,</span> <span class="ss">:password</span><span class="p">,</span>
                                   <span class="ss">:password_confirmation</span><span class="p">)</span>
    <span class="k">end</span>

    <span class="c1"># Before filters</span>

    <span class="k">def</span> <span class="nf">signed_in_user</span>
      <span class="k">unless</span> <span class="n">signed_in?</span>
        <span class="n">store_location</span>
        <span class="n">redirect_to</span> <span class="n">signin_url</span><span class="p">,</span> <span class="ss">notice:</span> <span class="s2">&quot;Please sign in.&quot;</span>
      <span class="k">end</span>
    <span class="k">end</span>

    <span class="k">def</span> <span class="nf">correct_user</span>
      <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
      <span class="n">redirect_to</span><span class="p">(</span><span class="n">root_url</span><span class="p">)</span> <span class="k">unless</span> <span class="n">current_user?</span><span class="p">(</span><span class="vi">@user</span><span class="p">)</span>
    <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>To implement the forwarding itself, we use the <code>redirect_back_or</code> method to redirect to the requested URL if it exists, or some default URL otherwise, which we add to the Sessions controller <code>create</code> action to redirect after successful signin (<a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_session_create">Listing&nbsp;9.19</a>). The <code>redirect_back_or</code> method uses the or operator&nbsp;<code>||</code> through</p>

<div class="code"><div class="highlight"><pre><span class="n">session</span><span class="o">[</span><span class="ss">:return_to</span><span class="o">]</span> <span class="o">||</span> <span class="n">default</span>
</pre></div>
</div>


<p>This evaluates to <code>session[:return_to]</code> unless it&rsquo;s <code>nil</code>, in which case it evaluates to the given default URL. Note that <a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_forwarding_code">Listing&nbsp;9.17</a> is careful to remove the forwarding URL; otherwise, subsequent signin attempts would forward to the protected page until the user closed their browser. (Testing for this is left as an exercise (<a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises">Section&nbsp;9.6</a>.)</p>

<div class="label" id="code-friendly_session_create"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.19.</span> <span class="description">The Sessions <code>create</code> action with friendly forwarding. <br /> <code>app/controllers/sessions_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">SessionsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">create</span>
    <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">email:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:email</span><span class="o">].</span><span class="n">downcase</span><span class="p">)</span>
    <span class="k">if</span> <span class="n">user</span> <span class="o">&amp;&amp;</span> <span class="n">user</span><span class="o">.</span><span class="n">authenticate</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:password</span><span class="o">]</span><span class="p">)</span>
      <span class="n">sign_in</span> <span class="n">user</span>
      <span class="n">redirect_back_or</span> <span class="n">user</span>
    <span class="k">else</span>
      <span class="n">flash</span><span class="o">.</span><span class="n">now</span><span class="o">[</span><span class="ss">:error</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;Invalid email/password combination&#39;</span>
      <span class="n">render</span> <span class="s1">&#39;new&#39;</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>(If you completed the first exercise in <a class="ref" href="sign-in-sign-out.html#top">Chapter&nbsp;8</a>, be sure to use the proper <code>params</code> hash in <a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_session_create">Listing&nbsp;9.19</a>.)</p>

<p>With that, the friendly forwarding integration test in <a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_forwarding_test">Listing&nbsp;9.16</a> should pass, and the basic user authentication and page protection implementation is complete. As usual, it&rsquo;s a good idea to verify that the test suite is green before proceeding:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-showing_all_users"></div>


<h2><a id="sec-9_3" href="updating-showing-and-deleting-users.html#sec-showing_all_users" class="heading"><span class="number">9.3</span> Showing all users</a></h2>


<p>In this section, we&rsquo;ll add the <a href="http://www.answers.com/penultimate">penultimate</a> user action, the <code>index</code> action, which is designed to display <em>all</em> the users instead of just one. Along the way, we&rsquo;ll learn about populating the database with sample users and <em>paginating</em> the user output so that the index page can scale up to display a potentially large number of users. A mockup of the result&mdash;users, pagination links, and a &ldquo;Users&rdquo; navigation link&mdash;appears in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_index_mockup">Figure&nbsp;9.7</a>.<sup class="footnote" id="fnref-9_6"><a href="#fn-9_6">6</a></sup> In <a class="ref" href="updating-showing-and-deleting-users.html#sec-destroying_users">Section&nbsp;9.4</a>, we&rsquo;ll add an administrative interface to the user index so that (presumably troublesome) users can be destroyed.</p>

<div class="label" id="fig-user_index_mockup"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_index_mockup_bootstrap.png" alt="user_index_mockup_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.7: </span><span class="description">A mockup of the user index, with pagination and a &ldquo;Users&rdquo; nav link.&nbsp;<a href="http://railstutorial.org/images/figures/user_index_mockup_bootstrap-full.png">(full size)</a></span></div></div>




<div class="label" id="sec-user_index"></div>


<h3><a id="sec-9_3_1" href="updating-showing-and-deleting-users.html#sec-user_index" class="heading"><span class="number">9.3.1</span> User index</a></h3>


<p>Although we&rsquo;ll keep individual user <code>show</code> pages visible to all site visitors, the user <code>index</code> will be restricted to signed-in users so that there&rsquo;s a limit to how much unregistered users can see by default. We&rsquo;ll start by testing that the <code>index</code> action is protected by visiting the <code>users_path</code> (<a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>) and verifying that we are redirected to the signin page. As with other authorization tests, we&rsquo;ll put this example in the authentication integration test, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-protected_index_test">Listing&nbsp;9.20</a>.</p>

<div class="label" id="code-protected_index_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.20.</span> <span class="description">Testing that the <code>index</code> action is protected. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;authorization&quot;</span> <span class="k">do</span>

    <span class="n">describe</span> <span class="s2">&quot;for non-signed-in users&quot;</span> <span class="k">do</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="n">describe</span> <span class="s2">&quot;in the Users controller&quot;</span> <span class="k">do</span>
        <span class="o">.</span>
        <span class="o">.</span>
        <span class="o">.</span>
        <span class="n">describe</span> <span class="s2">&quot;visiting the user index&quot;</span> <span class="k">do</span>
          <span class="n">before</span> <span class="p">{</span> <span class="n">visit</span> <span class="n">users_path</span> <span class="p">}</span>
          <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;Sign in&#39;</span><span class="p">)</span> <span class="p">}</span>
        <span class="k">end</span>
      <span class="k">end</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The corresponding application code simply involves adding <code>index</code> to the list of actions protected by the <code>signed_in_user</code> before filter, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-signed_in_user_index">Listing&nbsp;9.21</a>.</p>

<div class="label" id="code-signed_in_user_index"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.21.</span> <span class="description">Requiring a signed-in user for the <code>index</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:index</span><span class="p">,</span> <span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="n">before_action</span> <span class="ss">:correct_user</span><span class="p">,</span>   <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>

  <span class="k">def</span> <span class="nf">index</span>
  <span class="k">end</span>

  <span class="k">def</span> <span class="nf">show</span>
    <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The next set of tests makes sure that, for signed-in users, the index page has the right title/content and lists all of the site&rsquo;s users. The method is to make three factory users (signing in as the first one) and then verify that the index page has a list element (<code>li</code>) tag for the name of each one. Note that we&rsquo;ve taken care to give the users different names so that each element in the list of users has a unique entry, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_index_tests">Listing&nbsp;9.22</a>.</p>

<div class="label" id="code-user_index_tests"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.22.</span> <span class="description">Tests for the user index page. <br /> <code>spec/requests/user_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;User pages&quot;</span> <span class="k">do</span>

  <span class="n">subject</span> <span class="p">{</span> <span class="n">page</span> <span class="p">}</span>

  <span class="n">describe</span> <span class="s2">&quot;index&quot;</span> <span class="k">do</span>
    <span class="n">before</span> <span class="k">do</span>
      <span class="n">sign_in</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span>
      <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">,</span> <span class="nb">name</span><span class="p">:</span> <span class="s2">&quot;Bob&quot;</span><span class="p">,</span> <span class="ss">email:</span> <span class="s2">&quot;bob@example.com&quot;</span><span class="p">)</span>
      <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">,</span> <span class="nb">name</span><span class="p">:</span> <span class="s2">&quot;Ben&quot;</span><span class="p">,</span> <span class="ss">email:</span> <span class="s2">&quot;ben@example.com&quot;</span><span class="p">)</span>
      <span class="n">visit</span> <span class="n">users_path</span>
    <span class="k">end</span>

    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="p">}</span>
    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_content</span><span class="p">(</span><span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="p">}</span>

    <span class="n">it</span> <span class="s2">&quot;should list each user&quot;</span> <span class="k">do</span>
      <span class="no">User</span><span class="o">.</span><span class="n">all</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="o">|</span>
        <span class="n">expect</span><span class="p">(</span><span class="n">page</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">have_selector</span><span class="p">(</span><span class="s1">&#39;li&#39;</span><span class="p">,</span> <span class="ss">text:</span> <span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
      <span class="k">end</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>As you may recall from the corresponding action in the demo app (<a class="ref" href="a-demo-app.html#code-demo_index_action">Listing&nbsp;2.4</a>), the application code uses <code>User.all</code> to pull all the users out of the database, assigning them to an <code>@users</code> instance variable for use in the view, as seen in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_index">Listing&nbsp;9.23</a>. (If displaying all the users at once seems like a bad idea, you&rsquo;re right, and we&rsquo;ll remove this blemish in <a class="ref" href="updating-showing-and-deleting-users.html#sec-pagination">Section&nbsp;9.3.3</a>.)</p>

<div class="label" id="code-user_index"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.23.</span> <span class="description">The user <code>index</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:index</span><span class="p">,</span> <span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">index</span>
    <span class="vi">@users</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">all</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>To make the actual index page, we need to make a view that iterates through the users and wraps each one in an&nbsp;<code>li</code> tag. We do this with the <code>each</code> method, displaying each user&rsquo;s Gravatar and name, while wrapping the whole thing in an unordered list (<code>ul</code>) tag (<a class="ref" href="updating-showing-and-deleting-users.html#code-user_index_view">Listing&nbsp;9.24</a>). The code in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_index_view">Listing&nbsp;9.24</a> uses the result of  <a class="ref" href="sign-up.html#code-gravatar_option">Listing&nbsp;7.30</a> from <a class="ref" href="sign-up.html#sec-signup_exercises">Section&nbsp;7.6</a>, which allows us to pass an option to the Gravatar helper specifying a size other than the default. If you didn&rsquo;t do that exercise, update your Users helper file with the contents of <a class="ref" href="sign-up.html#code-gravatar_option">Listing&nbsp;7.30</a> before proceeding.</p>

<div class="label" id="code-user_index_view"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.24.</span> <span class="description">The user index view. <br /> <code>app/views/users/index.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%</span> <span class="n">provide</span><span class="p">(</span><span class="ss">:title</span><span class="p">,</span> <span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;h1&gt;</span>All users<span class="nt">&lt;/h1&gt;</span>

<span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;users&quot;</span><span class="nt">&gt;</span>
  <span class="cp">&lt;%</span> <span class="vi">@users</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="o">|</span> <span class="cp">%&gt;</span>
    <span class="nt">&lt;li&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">gravatar_for</span> <span class="n">user</span><span class="p">,</span> <span class="ss">size:</span> <span class="mi">52</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="n">user</span> <span class="cp">%&gt;</span>
    <span class="nt">&lt;/li&gt;</span>
  <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;/ul&gt;</span>
</pre></div>
</div></div>


<p>Let&rsquo;s also add a little CSS (or, rather, SCSS) for style (<a class="ref" href="updating-showing-and-deleting-users.html#code-user_index_css">Listing&nbsp;9.25</a>).</p>

<div class="label" id="code-user_index_css"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.25.</span> <span class="description">CSS for the user index. <br /> <code>app/assets/stylesheets/custom.css.scss</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nc">.</span>
<span class="nc">.</span>
<span class="nc">.</span>

<span class="o">/*</span> <span class="nt">Users</span> <span class="nt">index</span> <span class="o">*/</span>

<span class="nc">.users</span> <span class="p">{</span>
  <span class="na">list-style</span><span class="o">:</span> <span class="no">none</span><span class="p">;</span>
  <span class="na">margin</span><span class="o">:</span> <span class="mi">0</span><span class="p">;</span>
  <span class="nt">li</span> <span class="p">{</span>
    <span class="na">overflow</span><span class="o">:</span> <span class="no">auto</span><span class="p">;</span>
    <span class="na">padding</span><span class="o">:</span> <span class="mi">10</span><span class="kt">px</span> <span class="mi">0</span><span class="p">;</span>
    <span class="na">border-top</span><span class="o">:</span> <span class="mi">1</span><span class="kt">px</span> <span class="no">solid</span> <span class="nv">$grayLighter</span><span class="p">;</span>
    <span class="k">&amp;</span><span class="nd">:last-child</span> <span class="p">{</span>
      <span class="na">border-bottom</span><span class="o">:</span> <span class="mi">1</span><span class="kt">px</span> <span class="no">solid</span> <span class="nv">$grayLighter</span><span class="p">;</span>
    <span class="p">}</span>
  <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div></div>


<p>Finally, we&rsquo;ll add the URL to the users link in the site&rsquo;s navigation header using <code>users_path</code>, thereby using the last of the unused named routes in <a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>. The test (<a class="ref" href="updating-showing-and-deleting-users.html#code-users_link_test">Listing&nbsp;9.26</a>) and application code (<a class="ref" href="updating-showing-and-deleting-users.html#code-users_link">Listing&nbsp;9.27</a>) are both straightforward.</p>

<div class="label" id="code-users_link_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.26.</span> <span class="description">A test for the &ldquo;Users&rdquo; link URL. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="n">describe</span> <span class="s2">&quot;with valid information&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">before</span> <span class="p">{</span> <span class="n">sign_in</span> <span class="n">user</span> <span class="p">}</span>

      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Users&#39;</span><span class="p">,</span>       <span class="ss">href:</span> <span class="n">users_path</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Profile&#39;</span><span class="p">,</span>     <span class="ss">href:</span> <span class="n">user_path</span><span class="p">(</span><span class="n">user</span><span class="p">))</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Settings&#39;</span><span class="p">,</span>    <span class="ss">href:</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">))</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Sign out&#39;</span><span class="p">,</span>    <span class="ss">href:</span> <span class="n">signout_path</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;Sign in&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">signin_path</span><span class="p">)</span> <span class="p">}</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>




<div class="label" id="code-users_link"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.27.</span> <span class="description">Adding the URL to the users link. <br /> <code>app/views/layouts/_header.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nt">&lt;header</span> <span class="na">class=</span><span class="s">&quot;navbar navbar-fixed-top navbar-inverse&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;navbar-inner&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;container&quot;</span><span class="nt">&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;sample app&quot;</span><span class="p">,</span> <span class="n">root_path</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="s2">&quot;logo&quot;</span> <span class="cp">%&gt;</span>
      <span class="nt">&lt;nav&gt;</span>
        <span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;nav pull-right&quot;</span><span class="nt">&gt;</span>
          <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Home&quot;</span><span class="p">,</span> <span class="n">root_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
          <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Help&quot;</span><span class="p">,</span> <span class="n">help_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
          <span class="cp">&lt;%</span> <span class="k">if</span> <span class="n">signed_in?</span> <span class="cp">%&gt;</span>
            <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Users&quot;</span><span class="p">,</span> <span class="n">users_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
            <span class="nt">&lt;li</span> <span class="na">id=</span><span class="s">&quot;fat-menu&quot;</span> <span class="na">class=</span><span class="s">&quot;dropdown&quot;</span><span class="nt">&gt;</span>
              <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">&quot;#&quot;</span> <span class="na">class=</span><span class="s">&quot;dropdown-toggle&quot;</span> <span class="na">data-toggle=</span><span class="s">&quot;dropdown&quot;</span><span class="nt">&gt;</span>
                Account <span class="nt">&lt;b</span> <span class="na">class=</span><span class="s">&quot;caret&quot;</span><span class="nt">&gt;&lt;/b&gt;</span>
              <span class="nt">&lt;/a&gt;</span>
              <span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;dropdown-menu&quot;</span><span class="nt">&gt;</span>
                <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Profile&quot;</span><span class="p">,</span> <span class="n">current_user</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
                <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Settings&quot;</span><span class="p">,</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">current_user</span><span class="p">)</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
                <span class="nt">&lt;li</span> <span class="na">class=</span><span class="s">&quot;divider&quot;</span><span class="nt">&gt;&lt;/li&gt;</span>
                <span class="nt">&lt;li&gt;</span>
                  <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Sign out&quot;</span><span class="p">,</span> <span class="n">signout_path</span><span class="p">,</span> <span class="nb">method</span><span class="p">:</span> <span class="s2">&quot;delete&quot;</span> <span class="cp">%&gt;</span>
                <span class="nt">&lt;/li&gt;</span>
              <span class="nt">&lt;/ul&gt;</span>
            <span class="nt">&lt;/li&gt;</span>
          <span class="cp">&lt;%</span> <span class="k">else</span> <span class="cp">%&gt;</span>
            <span class="nt">&lt;li&gt;</span><span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;Sign in&quot;</span><span class="p">,</span> <span class="n">signin_path</span> <span class="cp">%&gt;</span><span class="nt">&lt;/li&gt;</span>
          <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
        <span class="nt">&lt;/ul&gt;</span>
      <span class="nt">&lt;/nav&gt;</span>
    <span class="nt">&lt;/div&gt;</span>
  <span class="nt">&lt;/div&gt;</span>
<span class="nt">&lt;/header&gt;</span>
</pre></div>
</div></div>


<p>With that, the user index is fully functional, with all tests passing:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>


<p>On the other hand, as seen in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_index_only_one">Figure&nbsp;9.8</a>, it is a bit&hellip; lonely. Let&rsquo;s remedy this sad situation.</p>

<div class="label" id="fig-user_index_only_one"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_index_only_one_bootstrap.png" alt="user_index_only_one_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.8: </span><span class="description">The user index page  <a href="http://localhost:3000/users">/users</a> with only one user.&nbsp;<a href="http://railstutorial.org/images/figures/user_index_only_one_bootstrap-full.png">(full size)</a></span></div></div>




<div class="label" id="sec-sample_users"></div>


<h3><a id="sec-9_3_2" href="updating-showing-and-deleting-users.html#sec-sample_users" class="heading"><span class="number">9.3.2</span> Sample users</a></h3>


<p>In this section, we&rsquo;ll give our lonely sample user some company. Of course, to create enough users to make a decent user index, we <em>could</em> use our web browser to visit the signup page and make the new users one by one, but far a better solution is to use Ruby (and Rake) to make the users for us.</p>

<p>First, we&rsquo;ll add the <em>Faker</em> gem to the <code>Gemfile</code>, which will allow us to make sample users with semi-realistic names and email addresses (<a class="ref" href="updating-showing-and-deleting-users.html#code-faker_gemfile">Listing&nbsp;9.28</a>).</p>

<div class="label" id="code-faker_gemfile"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.28.</span> <span class="description">Adding the Faker gem to the <code>Gemfile</code>.</span> </div>
<div class="code"><div class="highlight"><pre><span class="n">source</span> <span class="s1">&#39;https://rubygems.org&#39;</span>
<span class="n">ruby</span> <span class="s1">&#39;2.0.0&#39;</span>
<span class="c1">#ruby-gemset=railstutorial_rails_4_0</span>

<span class="n">gem</span> <span class="s1">&#39;rails&#39;</span><span class="p">,</span> <span class="s1">&#39;4.0.4&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bootstrap-sass&#39;</span><span class="p">,</span> <span class="s1">&#39;2.3.2.0&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;sprockets&#39;</span><span class="p">,</span> <span class="s1">&#39;2.11.0&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bcrypt-ruby&#39;</span><span class="p">,</span> <span class="s1">&#39;3.1.2&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;faker&#39;</span><span class="p">,</span> <span class="s1">&#39;1.1.2&#39;</span>
<span class="o">.</span>
<span class="o">.</span>
<span class="o">.</span>
</pre></div>
</div></div>


<p>Then install as usual:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle install
</pre></div>
</div>


<p>Next, we&rsquo;ll add a Rake task to create sample users. Rake tasks live in the <code>lib/tasks</code> directory, and are defined using <em>namespaces</em> (in this case, <code>:db</code>), as seen in <a class="ref" href="updating-showing-and-deleting-users.html#code-db_populate">Listing&nbsp;9.29</a>. (This is a bit advanced, so don&rsquo;t worry too much about the details.)</p>

<div class="label" id="code-db_populate"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.29.</span> <span class="description">A Rake task for populating the database with sample users. <br /> <code>lib/tasks/sample_data.rake</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="n">namespace</span> <span class="ss">:db</span> <span class="k">do</span>
  <span class="n">desc</span> <span class="s2">&quot;Fill database with sample data&quot;</span>
  <span class="n">task</span> <span class="ss">populate:</span> <span class="ss">:environment</span> <span class="k">do</span>
    <span class="no">User</span><span class="o">.</span><span class="n">create!</span><span class="p">(</span><span class="nb">name</span><span class="p">:</span> <span class="s2">&quot;Example User&quot;</span><span class="p">,</span>
                 <span class="ss">email:</span> <span class="s2">&quot;example@railstutorial.org&quot;</span><span class="p">,</span>
                 <span class="ss">password:</span> <span class="s2">&quot;foobar&quot;</span><span class="p">,</span>
                 <span class="ss">password_confirmation:</span> <span class="s2">&quot;foobar&quot;</span><span class="p">)</span>
    <span class="mi">99</span><span class="o">.</span><span class="n">times</span> <span class="k">do</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span>
      <span class="nb">name</span>  <span class="o">=</span> <span class="ss">Faker::Name</span><span class="o">.</span><span class="n">name</span>
      <span class="n">email</span> <span class="o">=</span> <span class="s2">&quot;example-</span><span class="si">#{</span><span class="n">n</span><span class="o">+</span><span class="mi">1</span><span class="si">}</span><span class="s2">@railstutorial.org&quot;</span>
      <span class="n">password</span>  <span class="o">=</span> <span class="s2">&quot;password&quot;</span>
      <span class="no">User</span><span class="o">.</span><span class="n">create!</span><span class="p">(</span><span class="nb">name</span><span class="p">:</span> <span class="nb">name</span><span class="p">,</span>
                   <span class="ss">email:</span> <span class="n">email</span><span class="p">,</span>
                   <span class="ss">password:</span> <span class="n">password</span><span class="p">,</span>
                   <span class="ss">password_confirmation:</span> <span class="n">password</span><span class="p">)</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>This defines a task <code>db:populate</code> that creates an example user with name and email address replicating our previous one, and then makes 99 more. The line</p>

<div class="code"><div class="highlight"><pre><span class="n">task</span> <span class="ss">populate:</span> <span class="ss">:environment</span> <span class="k">do</span>
</pre></div>
</div>


<p>ensures that the Rake task has access to the local Rails environment, including the User model (and hence <code>User.create!</code>). Here <code>create!</code> is just like the <code>create</code> method, except it raises an exception (<a class="ref" href="modeling-users.html#sec-finding_user_objects">Section&nbsp;6.1.4</a>) for an invalid user rather than returning <code>false</code>. This noisier construction makes debugging easier by avoiding silent errors.</p>

<p>With the <code>:db</code> namespace as in <a class="ref" href="updating-showing-and-deleting-users.html#code-db_populate">Listing&nbsp;9.29</a>, we can invoke the Rake task as follows:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rake db:reset
<span class="gp">$</span> bundle <span class="nb">exec </span>rake db:populate
<span class="gp">$</span> bundle <span class="nb">exec </span>rake <span class="nb">test</span>:prepare
</pre></div>
</div>


<p>After running the Rake task, our application has 100 sample users, as seen in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_index_all">Figure&nbsp;9.9</a>. (I&rsquo;ve taken the liberty of associating the first few sample addresses with photos so that they&rsquo;re not all the default Gravatar image.)</p>

<div class="label" id="fig-user_index_all"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_index_all_bootstrap.png" alt="user_index_all_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.9: </span><span class="description">The user index page <a href="http://localhost:3000/users">/users</a> with 100 sample users.&nbsp;<a href="http://railstutorial.org/images/figures/user_index_all_bootstrap-full.png">(full size)</a></span></div></div>




<div class="label" id="sec-pagination"></div>


<h3><a id="sec-9_3_3" href="updating-showing-and-deleting-users.html#sec-pagination" class="heading"><span class="number">9.3.3</span> Pagination</a></h3>


<p>Our original user doesn&rsquo;t suffer from loneliness any more, but now we have the opposite problem: our user has <em>too many</em> companions, and they all appear on the same page. Right now there are a hundred, which is already a reasonably large number, and on a real site it could be thousands. The solution is to <em>paginate</em> the users, so that (for example) only 30 show up on a page at any one time.</p>

<p>There are several pagination methods in Rails; we&rsquo;ll use one of the simplest and most robust, called <a href="http://wiki.github.com/mislav/will_paginate/">will_paginate</a>. To use it, we need to include both the <tt>will_paginate</tt> gem and <tt>bootstrap-will_paginate</tt>, which configures will_paginate to use Bootstrap&rsquo;s pagination styles. The updated <code>Gemfile</code> appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_gem">Listing&nbsp;9.30</a>.</p>

<div class="label" id="code-will_paginate_gem"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.30.</span> <span class="description">Including <tt>will_paginate</tt> in the <code>Gemfile</code>.</span> </div>
<div class="code"><div class="highlight"><pre><span class="n">source</span> <span class="s1">&#39;https://rubygems.org&#39;</span>
<span class="n">ruby</span> <span class="s1">&#39;2.0.0&#39;</span>
<span class="c1">#ruby-gemset=railstutorial_rails_4_0</span>

<span class="n">gem</span> <span class="s1">&#39;rails&#39;</span><span class="p">,</span> <span class="s1">&#39;4.0.4&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bootstrap-sass&#39;</span><span class="p">,</span> <span class="s1">&#39;2.3.2.0&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;sprockets&#39;</span><span class="p">,</span> <span class="s1">&#39;2.11.0&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bcrypt-ruby&#39;</span><span class="p">,</span> <span class="s1">&#39;3.1.2&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;faker&#39;</span><span class="p">,</span> <span class="s1">&#39;1.1.2&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;will_paginate&#39;</span><span class="p">,</span> <span class="s1">&#39;3.0.4&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bootstrap-will_paginate&#39;</span><span class="p">,</span> <span class="s1">&#39;0.0.9&#39;</span>
<span class="o">.</span>
<span class="o">.</span>
<span class="o">.</span>
</pre></div>
</div></div>


<p>Then run <code>bundle install</code>:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle install
</pre></div>
</div>


<p>You should also restart the web server to ensure that the new gems are loaded properly.</p>

<p>Because the <tt>will_paginate</tt> gem is in wide use, there&rsquo;s no need to test it thoroughly, so we&rsquo;ll take a lightweight approach. First, we&rsquo;ll test for a <code>div</code> with CSS class &ldquo;pagination&rdquo;, which is what gets output by <tt>will_paginate</tt>. Then we&rsquo;ll verify that the correct users appear on the first page of results. This requires the use of the <code>paginate</code> method, which we&rsquo;ll cover shortly.</p>

<p>As before, we&rsquo;ll use Factory Girl to simulate users, but immediately we have a problem: user email addresses must be unique, which would appear to require creating more than 30 users by hand&mdash;a terribly cumbersome job. In addition, when testing for user listings it would be convenient for them all to have different names. Fortunately, Factory Girl anticipates this issue, and provides <em>sequences</em> to solve it. Our original factory (<a class="ref" href="sign-up.html#code-user_factory">Listing&nbsp;7.8</a>) hard-coded the name and email address:</p>

<div class="code"><div class="highlight"><pre><span class="no">FactoryGirl</span><span class="o">.</span><span class="n">define</span> <span class="k">do</span>
  <span class="n">factory</span> <span class="ss">:user</span> <span class="k">do</span>
    <span class="nb">name</span>     <span class="s2">&quot;Michael Hartl&quot;</span>
    <span class="n">email</span>    <span class="s2">&quot;michael@example.com&quot;</span>
    <span class="n">password</span> <span class="s2">&quot;foobar&quot;</span>
    <span class="n">password_confirmation</span> <span class="s2">&quot;foobar&quot;</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div>


<p>Instead, we can arrange for a sequence of names and email addresses using the <code>sequence</code> method:</p>

<div class="code"><div class="highlight"><pre><span class="n">factory</span> <span class="ss">:user</span> <span class="k">do</span>
  <span class="n">sequence</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span>  <span class="p">{</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span> <span class="s2">&quot;Person </span><span class="si">#{</span><span class="n">n</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">}</span>
  <span class="n">sequence</span><span class="p">(</span><span class="ss">:email</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span> <span class="s2">&quot;person_</span><span class="si">#{</span><span class="n">n</span><span class="si">}</span><span class="s2">@example.com&quot;</span><span class="p">}</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
</pre></div>
</div>


<p>Here <code>sequence</code> takes a symbol corresponding to the desired attribute (such as <code>:name</code>) and a block with one variable, which we have called&nbsp;<code>n</code>. Upon successive invocations of the <code>FactoryGirl</code> method,</p>

<div class="code"><div class="highlight"><pre><span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span>
</pre></div>
</div>


<p>The block variable <code>n</code> is automatically incremented, so that the first user has name &ldquo;Person&nbsp;1&rdquo; and email address &ldquo;person_1@example.com&rdquo;, the second user has name &ldquo;Person&nbsp;2&rdquo; and email address &ldquo;person_2@example.com&rdquo;, and so on. The full
code appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-factory_sequence">Listing&nbsp;9.31</a>.</p>

<div class="label" id="code-factory_sequence"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.31.</span> <span class="description">Defining a Factory Girl sequence. <br /> <code>spec/factories.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="no">FactoryGirl</span><span class="o">.</span><span class="n">define</span> <span class="k">do</span>
  <span class="n">factory</span> <span class="ss">:user</span> <span class="k">do</span>
    <span class="n">sequence</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span>  <span class="p">{</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span> <span class="s2">&quot;Person </span><span class="si">#{</span><span class="n">n</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">}</span>
    <span class="n">sequence</span><span class="p">(</span><span class="ss">:email</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span> <span class="s2">&quot;person_</span><span class="si">#{</span><span class="n">n</span><span class="si">}</span><span class="s2">@example.com&quot;</span><span class="p">}</span>
    <span class="n">password</span> <span class="s2">&quot;foobar&quot;</span>
    <span class="n">password_confirmation</span> <span class="s2">&quot;foobar&quot;</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Applying the idea of factory sequences, we can make 30 users in our test, which (as we will see) will be sufficient to invoke pagination:</p>

<div class="code"><div class="highlight"><pre><span class="n">before</span><span class="p">(</span><span class="ss">:all</span><span class="p">)</span> <span class="p">{</span> <span class="mi">30</span><span class="o">.</span><span class="n">times</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span>
<span class="n">after</span><span class="p">(</span><span class="ss">:all</span><span class="p">)</span>  <span class="p">{</span> <span class="no">User</span><span class="o">.</span><span class="n">delete_all</span> <span class="p">}</span>
</pre></div>
</div>


<p>Note here the use of <code>before(:all)</code>, which ensures that the sample users are created <em>once</em>, before all the tests in the block. This is an optimization for speed, as creating 30 users can be slow on some systems. We use the complementary method <code>after(:all)</code> to delete the users once we&rsquo;re done.</p>

<p>The tests for the appearance of the pagination <code>div</code> and the right users appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_test">Listing&nbsp;9.32</a>. Note the replacement of the <code>User.all</code> array from <a class="ref" href="updating-showing-and-deleting-users.html#code-user_index_tests">Listing&nbsp;9.22</a> with <code>User.paginate(page: 1)</code>, which (as we&rsquo;ll see momentarily) is how to pull out the first page of users from the database. Note also that <a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_test">Listing&nbsp;9.32</a> uses <code>before(:each)</code> to emphasize the contrast with <code>before(:all)</code>.</p>

<div class="label" id="code-will_paginate_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.32.</span> <span class="description">Tests for pagination. <br /> <code>spec/requests/user_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;User pages&quot;</span> <span class="k">do</span>

  <span class="n">subject</span> <span class="p">{</span> <span class="n">page</span> <span class="p">}</span>

  <span class="n">describe</span> <span class="s2">&quot;index&quot;</span> <span class="k">do</span>
    <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
    <span class="n">before</span><span class="p">(</span><span class="ss">:each</span><span class="p">)</span> <span class="k">do</span>
      <span class="n">sign_in</span> <span class="n">user</span>
      <span class="n">visit</span> <span class="n">users_path</span>
    <span class="k">end</span>

    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="p">}</span>
    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_content</span><span class="p">(</span><span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="p">}</span>

    <span class="n">describe</span> <span class="s2">&quot;pagination&quot;</span> <span class="k">do</span>

      <span class="n">before</span><span class="p">(</span><span class="ss">:all</span><span class="p">)</span> <span class="p">{</span> <span class="mi">30</span><span class="o">.</span><span class="n">times</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span>
      <span class="n">after</span><span class="p">(</span><span class="ss">:all</span><span class="p">)</span>  <span class="p">{</span> <span class="no">User</span><span class="o">.</span><span class="n">delete_all</span> <span class="p">}</span>

      <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_selector</span><span class="p">(</span><span class="s1">&#39;div.pagination&#39;</span><span class="p">)</span> <span class="p">}</span>

      <span class="n">it</span> <span class="s2">&quot;should list each user&quot;</span> <span class="k">do</span>
        <span class="no">User</span><span class="o">.</span><span class="n">paginate</span><span class="p">(</span><span class="ss">page:</span> <span class="mi">1</span><span class="p">)</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="o">|</span>
          <span class="n">expect</span><span class="p">(</span><span class="n">page</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">have_selector</span><span class="p">(</span><span class="s1">&#39;li&#39;</span><span class="p">,</span> <span class="ss">text:</span> <span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
        <span class="k">end</span>
      <span class="k">end</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>To get pagination working, we need to add some code to the index view telling Rails to paginate the users, and we need to replace <code>User.all</code> in the <code>index</code> action with an object that knows about pagination. We&rsquo;ll start by adding the special <code>will_paginate</code> method in the view (<a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_index_view">Listing&nbsp;9.33</a>); we&rsquo;ll see in a moment why the code appears both above and below the user list.</p>

<div class="label" id="code-will_paginate_index_view"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.33.</span> <span class="description">The user index with pagination. <br /> <code>app/views/users/index.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%</span> <span class="n">provide</span><span class="p">(</span><span class="ss">:title</span><span class="p">,</span> <span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;h1&gt;</span>All users<span class="nt">&lt;/h1&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">will_paginate</span> <span class="cp">%&gt;</span>

<span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;users&quot;</span><span class="nt">&gt;</span>
  <span class="cp">&lt;%</span> <span class="vi">@users</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="o">|</span> <span class="cp">%&gt;</span>
    <span class="nt">&lt;li&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">gravatar_for</span> <span class="n">user</span><span class="p">,</span> <span class="ss">size:</span> <span class="mi">52</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="n">user</span> <span class="cp">%&gt;</span>
    <span class="nt">&lt;/li&gt;</span>
  <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;/ul&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">will_paginate</span> <span class="cp">%&gt;</span>
</pre></div>
</div></div>


<p>The <code>will_paginate</code> method is a little magical; inside a <code>users</code> view, it automatically looks for an <code>@users</code> object, and then displays pagination links to access other pages. The view in <a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_index_view">Listing&nbsp;9.33</a> doesn&rsquo;t work yet, though, because currently <code>@users</code> contains the results of <code>User.all</code> (<a class="ref" href="updating-showing-and-deleting-users.html#code-user_index">Listing&nbsp;9.23</a>), whereas <code>will_paginate</code> requires that we paginate the results explicitly using the <code>paginate</code> method:</p>

<div class="code"><div class="highlight"><pre><span class="go">$ rails console</span>
<span class="gp">&gt;&gt; </span><span class="no">User</span><span class="o">.</span><span class="n">paginate</span><span class="p">(</span><span class="ss">page:</span> <span class="mi">1</span><span class="p">)</span>
<span class="go">  User Load (1.5ms)  SELECT &quot;users&quot;.* FROM &quot;users&quot; LIMIT 30 OFFSET 0</span>
<span class="go">   (1.7ms)  SELECT COUNT(*) FROM &quot;users&quot;</span>
<span class="go">=&gt; #&lt;ActiveRecord::Relation [#&lt;User id: 1,...</span>
</pre></div>
</div>


<p>Note that <code>paginate</code> takes a hash argument with key <code>:page</code> and value equal to the page requested. <code>User.paginate</code> pulls the users out of the database one chunk at a time (30 by default), based on the <code>:page</code> parameter. So, for example, page&nbsp;1 is users 1&ndash;30, page&nbsp;2 is users 31&ndash;60, etc. If the page is <code>nil</code>, <code>paginate</code> simply returns the first page.</p>

<p>Using the <code>paginate</code> method, we can paginate the users in the sample application by using <code>paginate</code> in place of <code>all</code> in the <code>index</code> action (<a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_index_action">Listing&nbsp;9.34</a>). Here the <code>:page</code> parameter comes from <code>params[:page]</code>, which is generated automatically by <code>will_paginate</code>.</p>

<div class="label" id="code-will_paginate_index_action"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.34.</span> <span class="description">Paginating the users in the <code>index</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:index</span><span class="p">,</span> <span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">index</span>
    <span class="vi">@users</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">paginate</span><span class="p">(</span><span class="ss">page:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:page</span><span class="o">]</span><span class="p">)</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The user index page should now be working, appearing as in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_index_pagination_rails_3">Figure&nbsp;9.10</a>. (On some systems, you may have to restart the Rails server at this point.) Because we included <code>will_paginate</code> both above and below the user list, the pagination links appear in both places.</p>

<div class="label" id="fig-user_index_pagination_rails_3"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_index_pagination_rails_3_bootstrap.png" alt="user_index_pagination_rails_3_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.10: </span><span class="description">The user index page  <a href="http://localhost:3000/users">/users</a> with pagination.&nbsp;<a href="http://railstutorial.org/images/figures/user_index_pagination_rails_3_bootstrap-full.png">(full size)</a></span></div></div>


<p>If you now click on either the&nbsp;<a href="http://localhost:3000/users?page=2">2</a> link or <a href="http://localhost:3000/users?page=2">Next</a> link, you&rsquo;ll get the second page of results, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_index_page_two_rails_3">Figure&nbsp;9.11</a>.</p>

<div class="label" id="fig-user_index_page_two_rails_3"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_index_page_two_rails_3_bootstrap.png" alt="user_index_page_two_rails_3_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.11: </span><span class="description">Page 2 of the user index (<a href="http://localhost:3000/users?page=2">/users?page=2</a>).&nbsp;<a href="http://railstutorial.org/images/figures/user_index_page_two_rails_3_bootstrap-full.png">(full size)</a></span></div></div>


<p>You should also verify that the tests are passing:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-partial_refactoring"></div>


<h3><a id="sec-9_3_4" href="updating-showing-and-deleting-users.html#sec-partial_refactoring" class="heading"><span class="number">9.3.4</span> Partial refactoring</a></h3>


<p>The paginated user index is now complete, but there&rsquo;s one improvement I can&rsquo;t resist including: Rails has some incredibly slick tools for making compact views, and in this section we&rsquo;ll refactor the index page to use them. Because our code is well-tested, we can refactor with confidence, assured that we are unlikely to break our site&rsquo;s functionality.</p>

<p>The first step in our refactoring is to replace the user&nbsp;<code>li</code> from <a class="ref" href="updating-showing-and-deleting-users.html#code-will_paginate_index_view">Listing&nbsp;9.33</a> with a <code>render</code> call (<a class="ref" href="updating-showing-and-deleting-users.html#code-index_view_first_refactoring">Listing&nbsp;9.35</a>).</p>

<div class="label" id="code-index_view_first_refactoring"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.35.</span> <span class="description">The first refactoring attempt at the index view. <br /> <code>app/views/users/index.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%</span> <span class="n">provide</span><span class="p">(</span><span class="ss">:title</span><span class="p">,</span> <span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;h1&gt;</span>All users<span class="nt">&lt;/h1&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">will_paginate</span> <span class="cp">%&gt;</span>

<span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;users&quot;</span><span class="nt">&gt;</span>
  <span class="cp">&lt;%</span> <span class="vi">@users</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="o">|</span> <span class="cp">%&gt;</span>
    <span class="cp">&lt;%=</span> <span class="n">render</span> <span class="n">user</span> <span class="cp">%&gt;</span>
  <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;/ul&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">will_paginate</span> <span class="cp">%&gt;</span>
</pre></div>
</div></div>


<p>Here we call <code>render</code> not on a string with the name of a partial, but rather on a <code>user</code> variable of class <code>User</code>;<sup class="footnote" id="fnref-9_7"><a href="#fn-9_7">7</a></sup> in this context, Rails automatically looks for a partial called <code>_user.html.erb</code>, which we must create (<a class="ref" href="updating-showing-and-deleting-users.html#code-user_partial">Listing&nbsp;9.36</a>).</p>

<div class="label" id="code-user_partial"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.36.</span> <span class="description">A partial to render a single user. <br /> <code>app/views/users/_user.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nt">&lt;li&gt;</span>
  <span class="cp">&lt;%=</span> <span class="n">gravatar_for</span> <span class="n">user</span><span class="p">,</span> <span class="ss">size:</span> <span class="mi">52</span> <span class="cp">%&gt;</span>
  <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="n">user</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;/li&gt;</span>
</pre></div>
</div></div>


<p>This is a definite improvement, but we can do even better: we can call <code>render</code> <em>directly</em> on the <code>@users</code> variable (<a class="ref" href="updating-showing-and-deleting-users.html#code-index_final_refactoring">Listing&nbsp;9.37</a>).</p>

<div class="label" id="code-index_final_refactoring"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.37.</span> <span class="description">The fully refactored user index. <br /> <code>app/views/users/index.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%</span> <span class="n">provide</span><span class="p">(</span><span class="ss">:title</span><span class="p">,</span> <span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;h1&gt;</span>All users<span class="nt">&lt;/h1&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">will_paginate</span> <span class="cp">%&gt;</span>

<span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">&quot;users&quot;</span><span class="nt">&gt;</span>
  <span class="cp">&lt;%=</span> <span class="n">render</span> <span class="vi">@users</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;/ul&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">will_paginate</span> <span class="cp">%&gt;</span>
</pre></div>
</div></div>


<p>Here Rails infers that <code>@users</code> is a list of <code>User</code> objects; moreover, when called with a collection of users, Rails automatically iterates through them and renders each one with the <code>_user.html.erb</code> partial. The result is the impressively compact code in <a class="ref" href="updating-showing-and-deleting-users.html#code-index_final_refactoring">Listing&nbsp;9.37</a>. As with any refactoring, you should verify that the test suite is still green after changing the application code:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-destroying_users"></div>


<h2><a id="sec-9_4" href="updating-showing-and-deleting-users.html#sec-destroying_users" class="heading"><span class="number">9.4</span> Deleting users</a></h2>


<p>Now that the user index is complete, there&rsquo;s only one canonical REST action left: <code>destroy</code>. In this section, we&rsquo;ll add links to delete users, as mocked up in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_index_delete_links_mockup">Figure&nbsp;9.12</a>, and define the <code>destroy</code> action necessary to accomplish the deletion. But first, we&rsquo;ll create the class of administrative users authorized to do so.</p>

<div class="label" id="fig-user_index_delete_links_mockup"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_index_delete_links_mockup_bootstrap.png" alt="user_index_delete_links_mockup_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.12: </span><span class="description">A mockup of the user index with delete links.&nbsp;<a href="http://railstutorial.org/images/figures/user_index_delete_links_mockup_bootstrap-full.png">(full size)</a></span></div></div>




<div class="label" id="sec-administrative_users"></div>


<h3><a id="sec-9_4_1" href="updating-showing-and-deleting-users.html#sec-administrative_users" class="heading"><span class="number">9.4.1</span> Administrative users</a></h3>


<p>We will identify privileged administrative users with a boolean <code>admin</code> attribute in the User model, which, as we&rsquo;ll see, will automatically lead to an <code>admin?</code> boolean method to test for admin status. We can write tests for this attribute as in <a class="ref" href="updating-showing-and-deleting-users.html#code-admin_specs">Listing&nbsp;9.38</a>.</p>

<div class="label" id="code-admin_specs"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.38.</span> <span class="description">Tests for an <code>admin</code> attribute. <br /> <code>spec/models/user_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="no">User</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">respond_to</span><span class="p">(</span><span class="ss">:authenticate</span><span class="p">)</span> <span class="p">}</span>
  <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">respond_to</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">}</span>

  <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">be_valid</span> <span class="p">}</span>
  <span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">be_admin</span> <span class="p">}</span>

  <span class="n">describe</span> <span class="s2">&quot;with admin attribute set to &#39;true&#39;&quot;</span> <span class="k">do</span>
    <span class="n">before</span> <span class="k">do</span>
      <span class="vi">@user</span><span class="o">.</span><span class="n">save!</span>
      <span class="vi">@user</span><span class="o">.</span><span class="n">toggle!</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span>
    <span class="k">end</span>

    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">be_admin</span> <span class="p">}</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Here we&rsquo;ve used the <code>toggle!</code> method to flip the <code>admin</code> attribute from <code>false</code> to <code>true</code>. Also note that the line</p>

<div class="code"><div class="highlight"><pre><span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">be_admin</span> <span class="p">}</span>
</pre></div>
</div>


<p>implies (via the RSpec boolean convention) that the user should have an <code>admin?</code> boolean method.</p>

<p>As usual, we add the <code>admin</code> attribute with a migration, indicating the <code>boolean</code> type on the command line:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> rails generate migration add_admin_to_users admin:boolean
</pre></div>
</div>


<p>The migration simply adds the <code>admin</code> column to the <code>users</code> table (<a class="ref" href="updating-showing-and-deleting-users.html#code-admin_migration">Listing&nbsp;9.39</a>), yielding the data model in <a class="ref" href="updating-showing-and-deleting-users.html#fig-user_model_admin">Figure&nbsp;9.13</a>.</p>

<div class="label" id="code-admin_migration"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.39.</span> <span class="description">The migration to add a boolean <code>admin</code> attribute to users. <br /> <code>db/migrate/[timestamp]_add_admin_to_users.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">AddAdminToUsers</span> <span class="o">&lt;</span> <span class="ss">ActiveRecord::Migration</span>
  <span class="k">def</span> <span class="nf">change</span>
    <span class="n">add_column</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">:admin</span><span class="p">,</span> <span class="ss">:boolean</span><span class="p">,</span> <span class="ss">default:</span> <span class="kp">false</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Note that we&rsquo;ve added the argument <code>default: false</code> to <code>add_column</code> in <a class="ref" href="updating-showing-and-deleting-users.html#code-admin_migration">Listing&nbsp;9.39</a>, which means that users will <em>not</em> be administrators by default. (Without the <code>default: false</code> argument, <code>admin</code> will be <code>nil</code> by default, which is still <code>false</code>, so this step is not strictly necessary. It is more explicit, though, and communicates our intentions more clearly both to Rails and to readers of our code.)</p>

<div class="label" id="fig-user_model_admin"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/user_model_admin_31.png" alt="user_model_admin_31" /></span></div><div class="caption"><span class="header">Figure 9.13: </span><span class="description">The User model with an added <code>admin</code> boolean attribute.</span></div></div>


<p>Finally, we migrate the development database and prepare the test database:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rake db:migrate
<span class="gp">$</span> bundle <span class="nb">exec </span>rake <span class="nb">test</span>:prepare
</pre></div>
</div>


<p>As expected, Rails figures out the boolean nature of the <code>admin</code> attribute and automatically adds the question-mark method <code>admin?</code>:</p>

<div class="code"><div class="highlight"><pre><span class="go">$ rails console --sandbox</span>
<span class="gp">&gt;&gt; </span><span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">first</span>
<span class="gp">&gt;&gt; </span><span class="n">user</span><span class="o">.</span><span class="n">admin?</span>
<span class="go">=&gt; false</span>
<span class="gp">&gt;&gt; </span><span class="n">user</span><span class="o">.</span><span class="n">toggle!</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span>
<span class="go">=&gt; true</span>
<span class="gp">&gt;&gt; </span><span class="n">user</span><span class="o">.</span><span class="n">admin?</span>
<span class="go">=&gt; true</span>
</pre></div>
</div>


<p>As a result, the admin tests should pass:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/models/user_spec.rb
</pre></div>
</div>


<p>As a final step, let&rsquo;s update our sample data populator to make the first user an admin by default (<a class="ref" href="updating-showing-and-deleting-users.html#code-populator_with_admin">Listing&nbsp;9.40</a>).</p>

<div class="label" id="code-populator_with_admin"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.40.</span> <span class="description">The sample data populator code with an admin user. <br /> <code>lib/tasks/sample_data.rake</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="n">namespace</span> <span class="ss">:db</span> <span class="k">do</span>
  <span class="n">desc</span> <span class="s2">&quot;Fill database with sample data&quot;</span>
  <span class="n">task</span> <span class="ss">populate:</span> <span class="ss">:environment</span> <span class="k">do</span>
    <span class="n">admin</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">create!</span><span class="p">(</span><span class="nb">name</span><span class="p">:</span> <span class="s2">&quot;Example User&quot;</span><span class="p">,</span>
                         <span class="ss">email:</span> <span class="s2">&quot;example@railstutorial.org&quot;</span><span class="p">,</span>
                         <span class="ss">password:</span> <span class="s2">&quot;foobar&quot;</span><span class="p">,</span>
                         <span class="ss">password_confirmation:</span> <span class="s2">&quot;foobar&quot;</span><span class="p">,</span>
                         <span class="ss">admin:</span> <span class="kp">true</span><span class="p">)</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Then reset the database and re-populate the sample data:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rake db:reset
<span class="gp">$</span> bundle <span class="nb">exec </span>rake db:populate
<span class="gp">$</span> bundle <span class="nb">exec </span>rake <span class="nb">test</span>:prepare
</pre></div>
</div>


<div class="label" id="sec-revisiting_strong_parameters"></div>


<h4><a id="sec-9_4_1_1" href="updating-showing-and-deleting-users.html#sec-revisiting_strong_parameters" class="heading">Revisiting strong parameters</a></h4>


<p>You might have noticed that <a class="ref" href="updating-showing-and-deleting-users.html#code-populator_with_admin">Listing&nbsp;9.40</a> makes the user an admin using <code>admin: true</code> to the initialization hash. This underscores the danger of exposing our objects to the wild Web: if we simply passed an initialization hash in from an arbitrary web request, a malicious user could send a <tt>PATCH</tt> request as follows:<sup class="footnote" id="fnref-9_8"><a href="#fn-9_8">8</a></sup></p>

<div class="code"><div class="highlight"><pre>patch /users/17?admin=1
</pre></div>
</div>


<p>This request would make user 17 an admin, which would be a potentially serious security breach, to say the least.</p>

<p>Because of this danger, it is essential to pass parameters that have been processed to permit only safe-to-edit attributes. As noted in <a class="ref" href="sign-up.html#sec-strong_parameters">Section&nbsp;7.3.2</a>, this is accomplished using <em>strong parameters</em> by calling <code>require</code> and <code>permit</code> on the <code>params</code> hash:</p>

<div class="code"><div class="highlight"><pre>    <span class="k">def</span> <span class="nf">user_params</span>
      <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:name</span><span class="p">,</span> <span class="ss">:email</span><span class="p">,</span> <span class="ss">:password</span><span class="p">,</span>
                                   <span class="ss">:password_confirmation</span><span class="p">)</span>
    <span class="k">end</span>
</pre></div>
</div>


<p>Note in particular that <code>admin</code> is <em>not</em> in the list of permitted attributes. This is what prevents arbitrary users from granting themselves administrative access to our application. Because of its importance, it&rsquo;s a good idea to write a test for any attribute that isn&rsquo;t editible, and writing such a test for the <code>admin</code> attribute is left as an exercise (<a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises">Section&nbsp;9.6</a>).</p>

<div class="label" id="sec-the_destroy_action"></div>


<h3><a id="sec-9_4_2" href="updating-showing-and-deleting-users.html#sec-the_destroy_action" class="heading"><span class="number">9.4.2</span> The <tt>destroy</tt> action</a></h3>


<p>The final step needed to complete the Users resource is to add delete links and a <code>destroy</code> action. We&rsquo;ll start by adding a delete link for each user on the user index page, restricting access to administrative users.</p>

<p>To write tests for the delete functionality, it&rsquo;s helpful to be able to have a factory to create admins. We can accomplish this by adding an <code>:admin</code> block to our factories, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-admin_factory">Listing&nbsp;9.41</a>.</p>

<div class="label" id="code-admin_factory"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.41.</span> <span class="description">Adding a factory for administrative users. <br /> <code>spec/factories.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="no">FactoryGirl</span><span class="o">.</span><span class="n">define</span> <span class="k">do</span>
  <span class="n">factory</span> <span class="ss">:user</span> <span class="k">do</span>
    <span class="n">sequence</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span>  <span class="p">{</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span> <span class="s2">&quot;Person </span><span class="si">#{</span><span class="n">n</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">}</span>
    <span class="n">sequence</span><span class="p">(</span><span class="ss">:email</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">n</span><span class="o">|</span> <span class="s2">&quot;person_</span><span class="si">#{</span><span class="n">n</span><span class="si">}</span><span class="s2">@example.com&quot;</span><span class="p">}</span>
    <span class="n">password</span> <span class="s2">&quot;foobar&quot;</span>
    <span class="n">password_confirmation</span> <span class="s2">&quot;foobar&quot;</span>

    <span class="n">factory</span> <span class="ss">:admin</span> <span class="k">do</span>
      <span class="n">admin</span> <span class="kp">true</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>With the code in <a class="ref" href="updating-showing-and-deleting-users.html#code-admin_factory">Listing&nbsp;9.41</a>, we can now use <code>FactoryGirl.create(:admin)</code> to create an administrative user in our tests.</p>

<p>Our security model requires that ordinary users not see delete links:</p>

<div class="code"><div class="highlight"><pre><span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">)</span> <span class="p">}</span>
</pre></div>
</div>


<p>But administrative users should see such links, and by clicking on a delete link we expect an admin to delete the user, i.e., to change the <code>User</code> count by&nbsp;<code>-1</code>:</p>

<div class="code"><div class="highlight"><pre><span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">user_path</span><span class="p">(</span><span class="no">User</span><span class="o">.</span><span class="n">first</span><span class="p">))</span> <span class="p">}</span>
<span class="n">it</span> <span class="s2">&quot;should be able to delete another user&quot;</span> <span class="k">do</span>
  <span class="n">expect</span> <span class="k">do</span>
    <span class="n">click_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">,</span> <span class="ss">match:</span> <span class="ss">:first</span><span class="p">)</span>
  <span class="k">end</span><span class="o">.</span><span class="n">to</span> <span class="n">change</span><span class="p">(</span><span class="no">User</span><span class="p">,</span> <span class="ss">:count</span><span class="p">)</span><span class="o">.</span><span class="n">by</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="k">end</span>
<span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">user_path</span><span class="p">(</span><span class="n">admin</span><span class="p">))</span> <span class="p">}</span>
</pre></div>
</div>


<p>This includes the code <code>match: :first</code>, which tells Capybara that we don&rsquo;t care <em>which</em> delete link it clicks; it should just click the first one it sees. Note also that we have added a test to verify that the admin does not see a link to delete himself. The full set of delete link tests appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-delete_link_tests">Listing&nbsp;9.42</a>.</p>

<div class="label" id="code-delete_link_tests"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.42.</span> <span class="description">Tests for delete links. <br /> <code>spec/requests/user_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;User pages&quot;</span> <span class="k">do</span>

  <span class="n">subject</span> <span class="p">{</span> <span class="n">page</span> <span class="p">}</span>

  <span class="n">describe</span> <span class="s2">&quot;index&quot;</span> <span class="k">do</span>

    <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>

    <span class="n">before</span> <span class="k">do</span>
      <span class="n">sign_in</span> <span class="n">user</span>
      <span class="n">visit</span> <span class="n">users_path</span>
    <span class="k">end</span>

    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="p">}</span>
    <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_content</span><span class="p">(</span><span class="s1">&#39;All users&#39;</span><span class="p">)</span> <span class="p">}</span>

    <span class="n">describe</span> <span class="s2">&quot;pagination&quot;</span> <span class="k">do</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
    <span class="k">end</span>

    <span class="n">describe</span> <span class="s2">&quot;delete links&quot;</span> <span class="k">do</span>

      <span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">)</span> <span class="p">}</span>

      <span class="n">describe</span> <span class="s2">&quot;as an admin user&quot;</span> <span class="k">do</span>
        <span class="n">let</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">}</span>
        <span class="n">before</span> <span class="k">do</span>
          <span class="n">sign_in</span> <span class="n">admin</span>
          <span class="n">visit</span> <span class="n">users_path</span>
        <span class="k">end</span>

        <span class="n">it</span> <span class="p">{</span> <span class="n">should</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">user_path</span><span class="p">(</span><span class="no">User</span><span class="o">.</span><span class="n">first</span><span class="p">))</span> <span class="p">}</span>
        <span class="n">it</span> <span class="s2">&quot;should be able to delete another user&quot;</span> <span class="k">do</span>
          <span class="n">expect</span> <span class="k">do</span>
            <span class="n">click_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">,</span> <span class="ss">match:</span> <span class="ss">:first</span><span class="p">)</span>
          <span class="k">end</span><span class="o">.</span><span class="n">to</span> <span class="n">change</span><span class="p">(</span><span class="no">User</span><span class="p">,</span> <span class="ss">:count</span><span class="p">)</span><span class="o">.</span><span class="n">by</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span>
        <span class="k">end</span>
        <span class="n">it</span> <span class="p">{</span> <span class="n">should_not</span> <span class="n">have_link</span><span class="p">(</span><span class="s1">&#39;delete&#39;</span><span class="p">,</span> <span class="ss">href:</span> <span class="n">user_path</span><span class="p">(</span><span class="n">admin</span><span class="p">))</span> <span class="p">}</span>
      <span class="k">end</span>
    <span class="k">end</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>The application code links to <code>"delete"</code> if the current user is an admin (<a class="ref" href="updating-showing-and-deleting-users.html#code-delete_links">Listing&nbsp;9.43</a>). Note the <code>method: :delete</code> argument, which arranges for the link to issue the necessary <tt>DELETE</tt> request. We&rsquo;ve also wrapped each link inside an&nbsp;<code>if</code> statement so that only admins can see them. The result for our admin user appears in <a class="ref" href="updating-showing-and-deleting-users.html#fig-index_delete_links_rails_3">Figure&nbsp;9.14</a>.</p>

<div class="label" id="code-delete_links"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.43.</span> <span class="description">User delete links (viewable only by admins). <br /> <code>app/views/users/_user.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nt">&lt;li&gt;</span>
  <span class="cp">&lt;%=</span> <span class="n">gravatar_for</span> <span class="n">user</span><span class="p">,</span> <span class="ss">size:</span> <span class="mi">52</span> <span class="cp">%&gt;</span>
  <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="n">user</span> <span class="cp">%&gt;</span>
  <span class="cp">&lt;%</span> <span class="k">if</span> <span class="n">current_user</span><span class="o">.</span><span class="n">admin?</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">current_user?</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="cp">%&gt;</span>
    | <span class="cp">&lt;%=</span> <span class="n">link_to</span> <span class="s2">&quot;delete&quot;</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="nb">method</span><span class="p">:</span> <span class="ss">:delete</span><span class="p">,</span>
                                  <span class="ss">data:</span> <span class="p">{</span> <span class="ss">confirm:</span> <span class="s2">&quot;You sure?&quot;</span> <span class="p">}</span> <span class="cp">%&gt;</span>
  <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;/li&gt;</span>
</pre></div>
</div></div>


<p>Web browsers can&rsquo;t send <tt>DELETE</tt> requests natively, so Rails fakes them with JavaScript. This means that the delete links won&rsquo;t work if the user has JavaScript disabled. If you must support non-JavaScript-enabled browsers you can fake a <tt>DELETE</tt> request using a form and a <tt>POST</tt> request, which works even without JavaScript; see the RailsCast on &ldquo;<a href="http://railscasts.com/episodes/77-destroy-without-javascript">Destroy Without JavaScript</a>&rdquo; for details.</p>

<div class="label" id="fig-index_delete_links_rails_3"></div>


<div class="figure"><div class="center"><span class="graphic"><img src="images/figures/index_delete_links_rails_3_bootstrap.png" alt="index_delete_links_rails_3_bootstrap" /></span></div><div class="caption"><span class="header">Figure 9.14: </span><span class="description">The user index <a href="http://localhost:3000/users">/users</a> with delete links.&nbsp;<a href="http://railstutorial.org/images/figures/index_delete_links_rails_3_bootstrap-full.png">(full size)</a></span></div></div>


<p>To get the delete links to work, we need to add a <code>destroy</code> action (<a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>), which finds the corresponding user and destroys it with the Active Record <code>destroy</code> method, finally redirecting to the user index, as seen in <a class="ref" href="updating-showing-and-deleting-users.html#code-destroy_action">Listing&nbsp;9.44</a>. Note that we also add <code>:destroy</code> to the <code>signed_in_user</code> before filter.</p>

<div class="label" id="code-destroy_action"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.44.</span> <span class="description">Adding a working <code>destroy</code> action. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:index</span><span class="p">,</span> <span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="p">,</span> <span class="ss">:destroy</span><span class="o">]</span>
  <span class="n">before_action</span> <span class="ss">:correct_user</span><span class="p">,</span>   <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="k">def</span> <span class="nf">destroy</span>
    <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span><span class="o">.</span><span class="n">destroy</span>
    <span class="n">flash</span><span class="o">[</span><span class="ss">:success</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;User deleted.&quot;</span>
    <span class="n">redirect_to</span> <span class="n">users_url</span>
  <span class="k">end</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>Note that the <code>destroy</code> action uses method chaining to combine the <code>find</code> and <code>destroy</code> into one line:</p>

<div class="code"><div class="highlight"><pre><span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span><span class="p">)</span><span class="o">.</span><span class="n">destroy</span>
</pre></div>
</div>


<p>As constructed, only admins can destroy users through the web, because only admins can see the delete links. Unfortunately, there&rsquo;s still a terrible security hole: any sufficiently sophisticated attacker could simply issue <tt>DELETE</tt> requests directly from the command line to delete any user on the site. To secure the site properly, we also need access control on the <code>destroy</code> action, so our tests should check not only that admins <em>can</em> delete users, but also that other users <em>can&rsquo;t</em>. The results appear in <a class="ref" href="updating-showing-and-deleting-users.html#code-delete_destroy_test">Listing&nbsp;9.45</a>. Note that, in analogy with the <code>patch</code> method from <a class="ref" href="updating-showing-and-deleting-users.html#code-protected_edit_update_tests">Listing&nbsp;9.11</a>, we use <code>delete</code> to issue a <tt>DELETE</tt> request directly to the specified URL (in this case, the user path, as required by <a class="ref" href="sign-up.html#table-RESTful_users">Table&nbsp;7.1</a>).</p>

<div class="label" id="code-delete_destroy_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.45.</span> <span class="description">A test for protecting the <code>destroy</code> action. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;authorization&quot;</span> <span class="k">do</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="n">describe</span> <span class="s2">&quot;as non-admin user&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:non_admin</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>

      <span class="n">before</span> <span class="p">{</span> <span class="n">sign_in</span> <span class="n">non_admin</span><span class="p">,</span> <span class="ss">no_capybara:</span> <span class="kp">true</span> <span class="p">}</span>

      <span class="n">describe</span> <span class="s2">&quot;submitting a DELETE request to the Users#destroy action&quot;</span> <span class="k">do</span>
        <span class="n">before</span> <span class="p">{</span> <span class="n">delete</span> <span class="n">user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">}</span>
        <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">root_url</span><span class="p">)</span> <span class="p">}</span>
      <span class="k">end</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>In principle, there&rsquo;s still a minor security hole, which is that an admin could delete himself by issuing a <tt>DELETE</tt> request directly. One might argue that such an admin is only getting what they deserve, but it would be nice to prevent such an occurrence, and doing so is left as an exercise (<a class="ref" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises">Section&nbsp;9.6</a>).</p>

<p>As you might suspect by now, the application code uses a before filter, this time to restrict access to the <code>destroy</code> action to admins. The resulting <code>admin_user</code> before filter appears in <a class="ref" href="updating-showing-and-deleting-users.html#code-admin_destroy_before_filter">Listing&nbsp;9.46</a>.</p>

<div class="label" id="code-admin_destroy_before_filter"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.46.</span> <span class="description">A before filter restricting the <code>destroy</code> action to admins. <br /> <code>app/controllers/users_controller.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span>
  <span class="n">before_action</span> <span class="ss">:signed_in_user</span><span class="p">,</span> <span class="ss">only:</span> <span class="o">[</span><span class="ss">:index</span><span class="p">,</span> <span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="p">,</span> <span class="ss">:destroy</span><span class="o">]</span>
  <span class="n">before_action</span> <span class="ss">:correct_user</span><span class="p">,</span>   <span class="ss">only:</span> <span class="o">[</span><span class="ss">:edit</span><span class="p">,</span> <span class="ss">:update</span><span class="o">]</span>
  <span class="n">before_action</span> <span class="ss">:admin_user</span><span class="p">,</span>     <span class="ss">only:</span> <span class="ss">:destroy</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="kp">private</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="k">def</span> <span class="nf">admin_user</span>
      <span class="n">redirect_to</span><span class="p">(</span><span class="n">root_url</span><span class="p">)</span> <span class="k">unless</span> <span class="n">current_user</span><span class="o">.</span><span class="n">admin?</span>
    <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>


<p>At this point, all the tests should be passing, and the Users resource&mdash;with its controller, model, and views&mdash;is functionally complete.</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> bundle <span class="nb">exec </span>rspec spec/
</pre></div>
</div>




<div class="label" id="sec-updating_and_deleting_users_conclusion"></div>


<h2><a id="sec-9_5" href="updating-showing-and-deleting-users.html#sec-updating_and_deleting_users_conclusion" class="heading"><span class="number">9.5</span> Conclusion</a></h2>


<p>We&rsquo;ve come a long way since introducing the Users controller way back in <a class="ref" href="filling-in-the-layout.html#sec-user_signup">Section&nbsp;5.4</a>. Those users couldn&rsquo;t even sign up; now users can sign up, sign in, sign out, view their profiles, edit their settings, and see an index of all users&mdash;and some can even destroy other users.</p>

<p>The rest of this book builds on the foundation of the Users resource (and associated authorization system) to make a site with Twitter-like microposts (<a class="ref" href="user-microposts.html#top">Chapter&nbsp;10</a>) and a status feed of posts from followed users (<a class="ref" href="following-users.html#top">Chapter&nbsp;11</a>). These chapters will introduce some of the most powerful features of Rails, including data modeling with <code>has_many</code> and <code>has_many through</code>.</p>

<p>Before moving on, be sure to merge all the changes into the master branch:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> git add .
<span class="gp">$</span> git commit -m <span class="s2">&quot;Finish user edit, update, index, and destroy actions&quot;</span>
<span class="gp">$</span> git checkout master
<span class="gp">$</span> git merge updating-users
</pre></div>
</div>


<p>You can also deploy the application and even populate the production database with sample users (using the <code>pg:reset</code> task to reset the production database):</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> git push heroku
<span class="gp">$</span> heroku pg:reset DATABASE
<span class="gp">$</span> heroku run rake db:migrate
<span class="gp">$</span> heroku run rake db:populate
</pre></div>
</div>


<p>To get the changes to show up, you may have to force an app restart at Heroku:</p>

<div class="code"><div class="highlight"><pre><span class="gp">$</span> heroku restart
</pre></div>
</div>


<p>It&rsquo;s also worth noting that this chapter saw the last of the necessary gem installations. For reference, the final <code>Gemfile</code> is shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-final_gemfile">Listing&nbsp;9.47</a>. (Optional gems may be system-dependent and are commented out. You can uncomment them to see if they work on your system.)</p>

<div class="label" id="code-final_gemfile"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.47.</span> <span class="description">The final <code>Gemfile</code> for the sample application.</span> </div>
<div class="code"><div class="highlight"><pre><span class="n">source</span> <span class="s1">&#39;https://rubygems.org&#39;</span>
<span class="n">ruby</span> <span class="s1">&#39;2.0.0&#39;</span>
<span class="c1">#ruby-gemset=railstutorial_rails_4_0</span>

<span class="n">gem</span> <span class="s1">&#39;rails&#39;</span><span class="p">,</span> <span class="s1">&#39;4.0.4&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bootstrap-sass&#39;</span><span class="p">,</span> <span class="s1">&#39;2.3.2.0&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;sprockets&#39;</span><span class="p">,</span> <span class="s1">&#39;2.11.0&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bcrypt-ruby&#39;</span><span class="p">,</span> <span class="s1">&#39;3.1.2&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;faker&#39;</span><span class="p">,</span> <span class="s1">&#39;1.1.2&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;will_paginate&#39;</span><span class="p">,</span> <span class="s1">&#39;3.0.4&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;bootstrap-will_paginate&#39;</span><span class="p">,</span> <span class="s1">&#39;0.0.9&#39;</span>

<span class="n">group</span> <span class="ss">:development</span><span class="p">,</span> <span class="ss">:test</span> <span class="k">do</span>
  <span class="n">gem</span> <span class="s1">&#39;sqlite3&#39;</span><span class="p">,</span> <span class="s1">&#39;1.3.8&#39;</span>
  <span class="n">gem</span> <span class="s1">&#39;rspec-rails&#39;</span><span class="p">,</span> <span class="s1">&#39;2.13.1&#39;</span>
  <span class="c1"># The following optional lines are part of the advanced setup.</span>
  <span class="c1"># gem &#39;guard-rspec&#39;, &#39;2.5.0&#39;</span>
  <span class="c1"># gem &#39;spork-rails&#39;, &#39;4.0.0&#39;</span>
  <span class="c1"># gem &#39;guard-spork&#39;, &#39;1.5.0&#39;</span>
  <span class="c1"># gem &#39;childprocess&#39;, &#39;0.3.6&#39;</span>
<span class="k">end</span>

<span class="n">group</span> <span class="ss">:test</span> <span class="k">do</span>
  <span class="n">gem</span> <span class="s1">&#39;selenium-webdriver&#39;</span><span class="p">,</span> <span class="s1">&#39;2.35.1&#39;</span>
  <span class="n">gem</span> <span class="s1">&#39;capybara&#39;</span><span class="p">,</span> <span class="s1">&#39;2.1.0&#39;</span>
  <span class="n">gem</span> <span class="s1">&#39;factory_girl_rails&#39;</span><span class="p">,</span> <span class="s1">&#39;4.2.0&#39;</span>
  <span class="n">gem</span> <span class="s1">&#39;cucumber-rails&#39;</span><span class="p">,</span> <span class="s1">&#39;1.4.0&#39;</span><span class="p">,</span> <span class="ss">:require</span> <span class="o">=&gt;</span> <span class="kp">false</span>
  <span class="n">gem</span> <span class="s1">&#39;database_cleaner&#39;</span><span class="p">,</span> <span class="ss">github:</span> <span class="s1">&#39;bmabey/database_cleaner&#39;</span>

  <span class="c1"># Uncomment this line on OS X.</span>
  <span class="c1"># gem &#39;growl&#39;, &#39;1.0.3&#39;</span>

  <span class="c1"># Uncomment these lines on Linux.</span>
  <span class="c1"># gem &#39;libnotify&#39;, &#39;0.8.0&#39;</span>

  <span class="c1"># Uncomment these lines on Windows.</span>
  <span class="c1"># gem &#39;rb-notifu&#39;, &#39;0.0.4&#39;</span>
  <span class="c1"># gem &#39;win32console&#39;, &#39;1.3.2&#39;</span>
  <span class="c1"># gem &#39;wdm&#39;, &#39;0.1.0&#39;</span>
<span class="k">end</span>

<span class="n">gem</span> <span class="s1">&#39;sass-rails&#39;</span><span class="p">,</span> <span class="s1">&#39;4.0.1&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;uglifier&#39;</span><span class="p">,</span> <span class="s1">&#39;2.1.1&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;coffee-rails&#39;</span><span class="p">,</span> <span class="s1">&#39;4.0.1&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;jquery-rails&#39;</span><span class="p">,</span> <span class="s1">&#39;3.0.4&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;turbolinks&#39;</span><span class="p">,</span> <span class="s1">&#39;1.1.1&#39;</span>
<span class="n">gem</span> <span class="s1">&#39;jbuilder&#39;</span><span class="p">,</span> <span class="s1">&#39;1.0.2&#39;</span>

<span class="n">group</span> <span class="ss">:doc</span> <span class="k">do</span>
  <span class="n">gem</span> <span class="s1">&#39;sdoc&#39;</span><span class="p">,</span> <span class="s1">&#39;0.3.20&#39;</span><span class="p">,</span> <span class="nb">require</span><span class="p">:</span> <span class="kp">false</span>
<span class="k">end</span>

<span class="n">group</span> <span class="ss">:production</span> <span class="k">do</span>
  <span class="n">gem</span> <span class="s1">&#39;pg&#39;</span><span class="p">,</span> <span class="s1">&#39;0.15.1&#39;</span>
  <span class="n">gem</span> <span class="s1">&#39;rails_12factor&#39;</span><span class="p">,</span> <span class="s1">&#39;0.0.2&#39;</span>
<span class="k">end</span>
</pre></div>
</div></div>




<div class="label" id="sec-updating_deleting_exercises"></div>


<h2><a id="sec-9_6" href="updating-showing-and-deleting-users.html#sec-updating_deleting_exercises" class="heading"><span class="number">9.6</span> Exercises</a></h2>




<ol>

<li>By issuing a <tt>PATCH</tt> request directly to the <code>update</code> method as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-forbidden_admin_test">Listing&nbsp;9.48</a>, verify that the <code>admin</code> attribute isn&rsquo;t editable through the web. Be sure to get first to Red, and then to Green. (<em>Hint</em>: Your first step should be to <em>add</em> <code>admin</code> to the list of permitted parameters in <code>user_params</code>.)</li>

<li>Arrange for the Gravatar &ldquo;change&rdquo; link in <a class="ref" href="updating-showing-and-deleting-users.html#code-user_edit_view">Listing&nbsp;9.3</a> to open in a new window (or tab). <em>Hint:</em> Search the web; you should find one particularly robust method involving something called <code>_blank</code>.</li>

<li>The current authentication tests check that navigation links such as &ldquo;Profile&rdquo; and &ldquo;Settings&rdquo; appear when a user is signed in. Add tests to make sure that these links <em>don&rsquo;t</em> appear when a user isn&rsquo;t signed in.</li>

<li>Use the <code>sign_in</code> test helper from <a class="ref" href="updating-showing-and-deleting-users.html#code-sign_in_helper">Listing&nbsp;9.6</a> in as many places as you can find.</li>

<li>Remove the duplicated form code by refactoring the <code>new.html.erb</code> and <code>edit.html.erb</code> views to use the partial in <a class="ref" href="updating-showing-and-deleting-users.html#code-new_edit_partial">Listing&nbsp;9.49</a>. Note that you will have to pass the form variable&nbsp;<code>f</code> explicitly as a local variable, as shown in <a class="ref" href="updating-showing-and-deleting-users.html#code-new_user_with_partial">Listing&nbsp;9.50</a>. You will also have to update the tests, as the forms aren&rsquo;t currently <em>exactly</em> the same; identify the slight difference and update the tests accordingly.</li>

<li>Signed-in users have no reason to access the <code>new</code> and <code>create</code> actions in the Users controller. Arrange for such users to be redirected to the root URL if they do try to hit those pages.</li>

<li>Learn about the <code>request</code> object by inserting some of the methods listed in the <a href="http://api.rubyonrails.org/v4.0.0/classes/ActionDispatch/Request.html">Rails API</a><sup class="footnote" id="fnref-9_9"><a href="#fn-9_9">9</a></sup> into the site layout. (Refer to <a class="ref" href="sign-up.html#code-rails_debug">Listing&nbsp;7.1</a> if you get stuck.)</li>

<li>Write a test to make sure that the friendly forwarding only forwards to the given URL the first time. On subsequent signin attempts, the forwarding URL should revert to the default (i.e., the profile page). See <a class="ref" href="updating-showing-and-deleting-users.html#code-friendly_forgetting_test">Listing&nbsp;9.51</a> for a hint (and, by a hint, I mean the solution).</li>

<li>Modify the <code>destroy</code> action to prevent admin users from destroying themselves. (Write a test first.)</li>

</ol>




<div class="label" id="code-forbidden_admin_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.48.</span> <span class="description">Testing that the <code>admin</code> attribute is forbidden. <br /> <code>spec/requests/user_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;User pages&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;edit&quot;</span> <span class="k">do</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="n">describe</span> <span class="s2">&quot;forbidden attributes&quot;</span> <span class="k">do</span>
      <span class="n">let</span><span class="p">(</span><span class="ss">:params</span><span class="p">)</span> <span class="k">do</span>
        <span class="p">{</span> <span class="ss">user:</span> <span class="p">{</span> <span class="ss">admin:</span> <span class="kp">true</span><span class="p">,</span> <span class="ss">password:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span><span class="p">,</span>
                  <span class="ss">password_confirmation:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span> <span class="p">}</span> <span class="p">}</span>
      <span class="k">end</span>
      <span class="n">before</span> <span class="k">do</span>
        <span class="n">sign_in</span> <span class="n">user</span><span class="p">,</span> <span class="ss">no_capybara:</span> <span class="kp">true</span>
        <span class="n">patch</span> <span class="n">user_path</span><span class="p">(</span><span class="n">user</span><span class="p">),</span> <span class="n">params</span>
      <span class="k">end</span>
      <span class="n">specify</span> <span class="p">{</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">reload</span><span class="p">)</span><span class="o">.</span><span class="n">not_to</span> <span class="n">be_admin</span> <span class="p">}</span>
    <span class="k">end</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>




<div class="label" id="code-new_edit_partial"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.49.</span> <span class="description">A partial for the new and edit form fields. <br /> <code>app/views/users/_fields.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%=</span> <span class="n">render</span> <span class="s1">&#39;shared/error_messages&#39;</span> <span class="cp">%&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:name</span> <span class="cp">%&gt;</span>
<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">text_field</span> <span class="ss">:name</span> <span class="cp">%&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:email</span> <span class="cp">%&gt;</span>
<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">text_field</span> <span class="ss">:email</span> <span class="cp">%&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:password</span> <span class="cp">%&gt;</span>
<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">password_field</span> <span class="ss">:password</span> <span class="cp">%&gt;</span>

<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">label</span> <span class="ss">:password_confirmation</span><span class="p">,</span> <span class="s2">&quot;Confirm Password&quot;</span> <span class="cp">%&gt;</span>
<span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">password_field</span> <span class="ss">:password_confirmation</span> <span class="cp">%&gt;</span>
</pre></div>
</div></div>




<div class="label" id="code-new_user_with_partial"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.50.</span> <span class="description">The new user view with partial. <br /> <code>app/views/users/new.html.erb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="cp">&lt;%</span> <span class="n">provide</span><span class="p">(</span><span class="ss">:title</span><span class="p">,</span> <span class="s1">&#39;Sign up&#39;</span><span class="p">)</span> <span class="cp">%&gt;</span>
<span class="nt">&lt;h1&gt;</span>Sign up<span class="nt">&lt;/h1&gt;</span>

<span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;row&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">&quot;span6 offset3&quot;</span><span class="nt">&gt;</span>
    <span class="cp">&lt;%=</span> <span class="n">form_for</span><span class="p">(</span><span class="vi">@user</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">f</span><span class="o">|</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">render</span> <span class="s1">&#39;fields&#39;</span><span class="p">,</span> <span class="ss">f:</span> <span class="n">f</span> <span class="cp">%&gt;</span>
      <span class="cp">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">submit</span> <span class="s2">&quot;Create my account&quot;</span><span class="p">,</span> <span class="ss">class:</span> <span class="s2">&quot;btn btn-large btn-primary&quot;</span> <span class="cp">%&gt;</span>
    <span class="cp">&lt;%</span> <span class="k">end</span> <span class="cp">%&gt;</span>
  <span class="nt">&lt;/div&gt;</span>
<span class="nt">&lt;/div&gt;</span>
</pre></div>
</div></div>




<div class="label" id="code-friendly_forgetting_test"></div>


<div class="codelisting">
<div class="listing"><span class="header">Listing 9.51.</span> <span class="description">A test for forwarding to the default page after friendly forwarding. <br /> <code>spec/requests/authentication_pages_spec.rb</code></span> </div>
<div class="code"><div class="highlight"><pre><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>

<span class="n">describe</span> <span class="s2">&quot;Authentication&quot;</span> <span class="k">do</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="o">.</span>
  <span class="n">describe</span> <span class="s2">&quot;authorization&quot;</span> <span class="k">do</span>

    <span class="n">describe</span> <span class="s2">&quot;for non-signed-in users&quot;</span> <span class="k">do</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="o">.</span>
      <span class="n">describe</span> <span class="s2">&quot;when attempting to visit a protected page&quot;</span> <span class="k">do</span>
        <span class="n">before</span> <span class="k">do</span>
          <span class="n">visit</span> <span class="n">edit_user_path</span><span class="p">(</span><span class="n">user</span><span class="p">)</span>
          <span class="n">fill_in</span> <span class="s2">&quot;Email&quot;</span><span class="p">,</span>    <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">email</span>
          <span class="n">fill_in</span> <span class="s2">&quot;Password&quot;</span><span class="p">,</span> <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span>
          <span class="n">click_button</span> <span class="s2">&quot;Sign in&quot;</span>
        <span class="k">end</span>

        <span class="n">describe</span> <span class="s2">&quot;after signing in&quot;</span> <span class="k">do</span>

          <span class="n">it</span> <span class="s2">&quot;should render the desired protected page&quot;</span> <span class="k">do</span>
            <span class="n">expect</span><span class="p">(</span><span class="n">page</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">have_title</span><span class="p">(</span><span class="s1">&#39;Edit user&#39;</span><span class="p">)</span>
          <span class="k">end</span>

          <span class="n">describe</span> <span class="s2">&quot;when signing in again&quot;</span> <span class="k">do</span>
            <span class="n">before</span> <span class="k">do</span>
              <span class="n">click_link</span> <span class="s2">&quot;Sign out&quot;</span>
              <span class="n">visit</span> <span class="n">signin_path</span>
              <span class="n">fill_in</span> <span class="s2">&quot;Email&quot;</span><span class="p">,</span>    <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">email</span>
              <span class="n">fill_in</span> <span class="s2">&quot;Password&quot;</span><span class="p">,</span> <span class="ss">with:</span> <span class="n">user</span><span class="o">.</span><span class="n">password</span>
              <span class="n">click_button</span> <span class="s2">&quot;Sign in&quot;</span>
            <span class="k">end</span>

            <span class="n">it</span> <span class="s2">&quot;should render the default (profile) page&quot;</span> <span class="k">do</span>
              <span class="n">expect</span><span class="p">(</span><span class="n">page</span><span class="p">)</span><span class="o">.</span><span class="n">to</span> <span class="n">have_title</span><span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
            <span class="k">end</span>
          <span class="k">end</span>
        <span class="k">end</span>
      <span class="k">end</span>
    <span class="k">end</span>
    <span class="o">.</span>
    <span class="o">.</span>
    <span class="o">.</span>
  <span class="k">end</span>
<span class="k">end</span>
</pre></div>
</div></div>




<div class="navigation">  <a class="prev_page" href="sign-in-sign-out.html#top">
    &laquo;&nbsp;<span class="number">Chapter 8</span> Sign in, sign out
  </a>
  <a class="next_page" href="user-microposts.html#top">
    <span class="number">Chapter 10</span> User microposts&nbsp;&raquo;
  </a>
</div><div class="footnotes">
<ol>
<li id="fn-9_1">Image from <a href="http://www.flickr.com/photos/sashawolff/4598355045/">http://www.flickr.com/photos/sashawolff/4598355045/</a>.&nbsp;<a class="arrow" href="#fnref-9_1">&uarr;</a></li>
<li id="fn-9_2">The Gravatar site actually redirects this to <a href="http://en.gravatar.com/emails">http://en.gravatar.com/emails</a>, which is for English language users, but I&rsquo;ve omitted the <tt>en</tt> part to account for the use of other languages.&nbsp;<a class="arrow" href="#fnref-9_2">&uarr;</a></li>
<li id="fn-9_3">Don&rsquo;t worry about how this works; the details are of interest to developers of the Rails framework itself, and by design are not important for Rails application developers.&nbsp;<a class="arrow" href="#fnref-9_3">&uarr;</a></li>
<li id="fn-9_4">The code in this section is adapted from the <a href="http://github.com/thoughtbot/clearance">Clearance</a> gem by <a href="http://thoughtbot.com/">thoughtbot</a>.&nbsp;<a class="arrow" href="#fnref-9_4">&uarr;</a></li>
<li id="fn-9_5">Thanks to reader Yoel Adler for pointing out this subtle issue, and for discovering the solution.&nbsp;<a class="arrow" href="#fnref-9_5">&uarr;</a></li>
<li id="fn-9_6">Baby photo from <a href="http://www.flickr.com/photos/glasgows/338937124/">http://www.flickr.com/photos/glasgows/338937124/</a>.&nbsp;<a class="arrow" href="#fnref-9_6">&uarr;</a></li>
<li id="fn-9_7">The name <code>user</code> is immaterial&mdash;we could have written <code>@users.each do |foobar|</code> and then used <code>render foobar</code>. The key is the <em>class</em> of the object&mdash;in this case, <code>User</code>.&nbsp;<a class="arrow" href="#fnref-9_7">&uarr;</a></li>
<li id="fn-9_8">Command-line tools such as <tt>curl</tt> can issue <tt>PATCH</tt> requests of this form.&nbsp;<a class="arrow" href="#fnref-9_8">&uarr;</a></li>
<li id="fn-9_9">http://api.rubyonrails.org/v4.0.0/classes/ActionDispatch/Request.html&nbsp;<a class="arrow" href="#fnref-9_9">&uarr;</a></li>
</ol>
</div>




</div>
  </body>
</html>