Get HTML, XML, and JSON formatted views working for who_bought requests. Experiment with including the order information in the XML view by rendering
@product.to_xml(include: :orders). Do the same thing for JSON.
Hint: use builder templates for XML.
What happens if you click the “Checkout” button in the sidebar while the checkout screen is already displayed? Can you find a way to disable the button in this circumstance?
Hint: variables set in the controller are available in layouts and partials as well as in the directly rendered template.
The list of possible payment types is currently stored as a constant in the
Order class. Can you move this list into a database table? Can you still make validation work for the field?
Hint: Replace the
pay_type string with a
pay_type_id in the
Orders model, and use validates_presence_of to verify that this field is set.
Note that we did not add order_id (or, for that matter, quantity) to the attr_ac- cessible line. This prevents mass assignment of these values by statements such as LineItem.new(params[:line_item]) in app/controllers/line_items_controller.rb. This is a good thing, as it prevents malicious users from creating their own forms that modify an order after it is placed. As product_id is still accessible, it still is theoretically possible for a cracker to substitute a more expensive item for a less expensive item. Close this hole by removing product_id from the accessible list. Get the functional tests to pass once again by replacing the mass assign- ment in line item creation in the controller with specific assignments, but only to cart_id and not order_id. Modify the update test to verify that an exception is raised by making use of assert_raise()