ENV["RAILS_ENV"] = "test"
require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
require 'test_help'

class Test::Unit::TestCase
  # Transactional fixtures accelerate your tests by wrapping each test method
  # in a transaction that's rolled back on completion.  This ensures that the
  # test database remains unchanged so your fixtures don't have to be reloaded
  # between every test method.  Fewer database queries means faster tests.
  #
  # Read Mike Clark's excellent walkthrough at
  #   http://clarkware.com/cgi/blosxom/2005/10/24#Rails10FastTesting
  #
  # Every Active Record database supports transactions except MyISAM tables
  # in MySQL.  Turn off transactional fixtures in this case; however, if you
  # don't care one way or the other, switching from MyISAM to InnoDB tables
  # is recommended.
  self.use_transactional_fixtures = true

  # Instantiated fixtures are slow, but give you @david where otherwise you
  # would need people(:david).  If you don't want to migrate your existing
  # test cases which use the @david style and don't mind the speed hit (each
  # instantiated fixtures translates to a database query per test method),
  # then set this back to true.
  self.use_instantiated_fixtures  = false

  # Log in the default user
  def put_user
    @request.session[:user] = Account.find 1
  end
  
  # Log in a user that has administrative privilege.
  def put_admin
    account = Account.new
    account.admin = true
    @request.session[:user] = account
    account.save_with_validation false
  end
  
  def assert_user_logged_in
    assert(@response.has_session_object?(:user))
  end
  
  def assert_user_logged_out
    assert(!@response.has_session_object?(:user))
  end
    
  # Given a list of method names (of the controller), creates a dynamic test
  # method that will log in a user, then call that method and expect it to
  # fail with a SecurityError. This is useful for ensuring that that method
  # performs proper authentication check, so that the privileged user must be
  # logged in before the action can be called.
  # Currently, this method only uses GET to call the action.
  def self.privileged_actions(*actions)
    for action in actions
      module_eval "def test_privilege_check_#{action}; put_user; " +
      " assert_raise(SecurityError) { get :#{action}, :id => 2; }; end"
    end
  end
  
  def self.check_input_sanitation(model_name)
    module_eval "def test_escape_untrusted_input();" +
      "assert_untrusted_input_escaped('#{model_name}.find 1');" +
      "end "
  end

  Dangerous_Input = "<script/>"
  def assert_untrusted_input_escaped(instance_expr)
    obj = eval(instance_expr)
    obj.attributes.each_key { |key|
      return if obj.instance_eval("(@input_sanitization_exceptions || []).include? :#{key}")

      copy = obj.clone
      copy.send key + '=', Dangerous_Input
      
      # Test for escape only if we managed to successfully persist the
      # field; else it was probably some validation error.
      if obj.save then
        assert_not_equal Dangerous_Input, copy.send(key),
          "Attribute '#{key}' is not properly sanitized."
      end
    }
  end

  # Add more helper methods to be used by all tests here...
end