On Fri, Jan 16, 2009 at 10:00 AM, James Byrne <[email protected]> wrote:
> I am working on our (newly renamed) authentication feature. The current
> scenario is:
>
> Scenario: Non-administrators should not set administrator ability
> Given I have no users
> And I add a user named "admin" as an administrator
> And I add a user named "myuser" as not an administrator
> When the user named "myuser" authenticates
> And the user enables the administrator role
> Then the user named "myuser" should not be an administrator
>
> Now, what I am looking for is an example of how an authenticated user
> would craft a post request in their browser to set the
> user.administrator flag to true.
>
> Crafting these sorts of http requests may be obvious and simple to some
> of you, but I have no clue how this is done.
Well, do you have a "set administrator" button? Use webrat to click
it if you do.
I assume you don't though, cause that'd be kinda weird. How about
passing it in the POST params:
put users_url(user), :user => {:administrator => true}
Something along those lines...
> On some lists, asking questions on how to breach security are themselves
> a breach of list etiquette. If this is the case here then I ask your
> indulgence and the favour of a private reply if that is deemed more
> suitable. I do require the information though, since I have to defend
> against it.
Asking how to test a security feature that you're building is very
different from asking how to hack somebody's site :)
Pat
_______________________________________________
rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users
