This addresses the remaining test failures @jasnow reported in issue #486.
Fixes:
1. Ambiguous Login button - Changed from click_button "Login" to
find("input[type='submit'][value='Login']").click to specifically
target the form submit button and avoid the header Login button
2. Fixed password_complexity_spec field names:
- user_email → email
- user_first_name → first_name
- user_last_name → last_name
- user_password → password
- user_password_confirmation → password_confirmation
- Submit → Create Account (correct button text)
3. Applied same selector fix to login helper in capybara_shared.rb
These changes complete the test suite fixes for the new UI that was
introduced in the file upload UX improvements.
Related: #486🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The password_hashing_spec was using 'pending unless verifying_fixed?' which caused
confusing output in maintainer mode:
- Before: "1 example, 0 failures, 1 pending" with "(compared using ==)" message
- After: "1 example, 0 failures" - clean output
The spec now uses conditional expectations:
- Training mode: expects password is NOT MD5 hashed (test fails, vulnerability exists)
- Maintainer mode: expects password IS MD5 hashed (test passes, verifies vulnerability)
This addresses the "(compared using ==)" error message that @jasnow reported in issue #486.
Related to #486
Fixes test suite to run cleanly across different platforms (macOS, Linux, Windows)
after the Rails 5→8 upgrade and UI/UX overhaul.
## Issues Fixed
1. **Firefox/Selenium driver errors**: Removed deprecated Poltergeist/PhantomJS
configuration and properly configured Selenium with headless Chrome. This
works across all platforms without requiring Firefox.
2. **CSS selector errors** ('Unable to find css ".signup"'): The UI/UX overhaul
removed the .signup CSS class. Updated the login helper to work with the
new login form structure.
3. **Ambiguous Login button**: The new UI has both a Login button and Login link.
Changed from `click_on "Login"` to `click_button "Login"` to be specific.
4. **Deprecation warning**: Opted into Rails 8.1 behavior for to_time timezone
preservation to eliminate deprecation warnings.
## Changes
- spec/support/capybara_shared.rb:
* Removed deprecated Poltergeist/PhantomJS configuration
* Configured Selenium with headless Chrome
* Updated login helper to work with new UI (removed .signup/.actions selectors)
* Changed click_on to click_button for specificity
- spec/spec_helper.rb:
* Removed conflicting Capybara.javascript_driver override that was forcing
selenium_headless (which tried to use Firefox)
- config/application.rb:
* Added config.active_support.to_time_preserves_timezone = :zone to opt into
Rails 8.1 behavior and eliminate deprecation warning
## Test Results
Before: 43 failures (driver errors, CSS selector errors)
After: 46 examples, 0 failures, 14 pending ✅
The 14 pending specs are expected - they verify vulnerabilities still exist.
## Platform Requirements
JavaScript tests now require Chrome/Chromium to be installed:
- macOS: Chrome is usually installed
- Ubuntu: `sudo apt-get install chromium-browser chromium-chromedriver`
- Windows: Chrome is usually installed
Fixes#486🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This major upgrade brings RailsGoat up to date with the latest versions:
- Ruby 2.6.5 → 3.3.6
- Rails 6.0.0 → 8.0.4
## Key Changes
### Dependencies
- Upgraded all gems to Rails 8-compatible versions
- Removed deprecated gems: therubyracer, coffee-rails, poltergeist,
travis-lint, rails-perftest, unicorn, powder, rubocop-github
- Updated puma to 6.6.1, sqlite3 to 2.8.1, rspec-rails to 8.0.2
- Added modern Rails 8 features: importmap-rails, stimulus-rails, turbo-rails
- Replaced poltergeist with selenium-webdriver for integration tests
### Code Changes
- Converted CoffeeScript files to plain JavaScript
- Updated test configuration to use Selenium headless driver
- Updated database schema to Rails 8 format
## Testing
- Application starts successfully and responds to requests
- Test suite runs with 23 examples (14 intentional vulnerability failures)
- Database migrations applied successfully
## Notes
This upgrade maintains all intentional security vulnerabilities that make
RailsGoat an effective training tool. The failing tests are expected and
demonstrate the vulnerabilities the application is designed to teach.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* use bang version of save methods in the seeds file, so that when you fix validation,
it will at least explode, rather than silently failing to create users
* fix two tests where passwords are hardcoded so that they use stronger passwords,
since password complexity is not the important bit of either of those tests.
When the database is empty, which can happen in the test database and in
the dev database if the seeds.rb aren't applied, the assign_user_id
method would not assign an id and the newer before_filter block to
generate_token would fail.
UserFixture had a password on it that wouldn't pass the new validation
rules once that vulnerability is patched.
Ken Johnson