Modify the user update function to require and validate the current password before allowing a user’s password to be changed.
Hint: you can add markup specific to a particular action in
_form.html.erb by adding an if check ensuring that
params[:action] is the one you want.
Hint: you can simultaneously retrieve and remove the non-database field from the
params hash by using the delete method.
When the system is freshly installed on a new machine, there are no administrators defined in the database, and hence no administrator can log on. But, if no administrator can log on, then no one can create an administrative user. Change the code so that if no administrator is defined in the database, any username works to log on (allowing you to quickly create a real administrator).
User.count.zero? can be used to determine if there are any existing users.
Experiment with rails console. Try creating products, orders, and line items. Watch for the return value when you save a model object—when validation fails, you’ll see false returned. Find out why by examining the errors.
Hint: check out the documentation for full_messages
Look up the authenticate_or_request_with_http_basic() method and utilize it in your :authorize filter if the request.format is not Mime::HTML. Test that it works by accessing an Atom feed.
Hint: check out the documentation for authenticate_or_request_with_http_basic
While we have gotten our tests working by performing a login, we haven’t yet written tests that verify that access to sensitive data requires login. Write at least one test that verifies this by calling logout() and then attempting to fetch or update some data which requires authentication.
Hint: authentication errors result in redirections to