small medium large xlarge


Activity 1

Get HTML, XML, and JSON formatted views working for who_bought requests. Experiment with including the order information in the XML view by rendering @product.to_xml(include: :orders). Do the same thing for JSON.

Hint: use builder templates for XML.


Activity 2

What happens if you click the “Checkout” button in the sidebar while the checkout screen is already displayed? Can you find a way to disable the button in this circumstance?

Hint: variables set in the controller are available in layouts and partials as well as in the directly rendered template.


Activity 3

The list of possible payment types is currently stored as a constant in the Order class. Can you move this list into a database table? Can you still make validation work for the field?

Hint: Replace the pay_type string with a pay_type_id in the Orders model, and use validates_presence_of to verify that this field is set.


Activity 4

Note that we did not add order_id (or, for that matter, quantity) to the attr_accessible line. This prevents mass assignment of these values by statements such as[:line_item]) in app/controllers/line_items_controller.rb. This is a good thing, as it prevents malicious users from creating their own forms that modify an order after it is placed.

As product_id is still accessible, it still is theoretically possible for a cracker to substitute a more expensive item for a less expensive item. Close this hole by removing product_id from the accessible list.

Get the functional tests to pass once again by replacing the mass assign- ment in line item creation in the controller with specific assignments, but only to cart_id and not order_id. Modify the update test to verify that an exception is raised by making use of assert_raise


Other Discussions

Page History
  • V27: Denis Hovart [over 1 year ago]
  • V26: eric tenne [about 2 years ago]
  • V25: George Buckingham [over 4 years ago]
  • V24: William Ko [over 5 years ago]
  • V23: William Ko [over 5 years ago]
  • V22: William Ko [over 5 years ago]
  • V21: William Ko [over 5 years ago]
  • V20: William Ko [over 5 years ago]
  • V19: Sam Ruby [over 6 years ago]
  • V18: Sam Ruby [over 6 years ago]