Get HTML, XML, and JSON formatted views working for who_bought requests. Experiment with including the order information in the XML view by rendering
@product.to_xml(include: :orders). Do the same thing for JSON.
Hint: use builder templates for XML.
What happens if you click the “Checkout” button in the sidebar while the checkout screen is already displayed? Can you find a way to disable the button in this circumstance?
Hint: variables set in the controller are available in layouts and partials as well as in the directly rendered template.
The list of possible payment types is currently stored as a constant in the
Order class. Can you move this list into a database table? Can you still make validation work for the field?
Hint: Replace the
pay_type string with a
pay_type_id in the
Orders model, and use validates_presence_of to verify that this field is set.
Note that we did not add
order_id (or, for that matter,
quantity) to the
cessible line. This prevents mass assignment of these values by statements
is a good thing, as it prevents malicious users from creating their own
forms that modify an order after it is placed.
product_id is still accessible, it still is theoretically possible for a cracker
to substitute a more expensive item for a less expensive item. Close this
hole by removing
product_id from the accessible list.
Get the functional tests to pass once again by replacing the mass assign- ment in line item creation in the controller with specific assignments, but only to cart_id and not order_id. Modify the update test to verify that an exception is raised by making use of assert_raise