In the past we've done the following:
Story: Users without hierarchy manager role accessing the hierarchy
In order to ensure users that shouldn't have access to the hierarchy don't
As a user who isn't a hierarchy manager
I should not be able to access the hierarchy
Scenario: Non hierarchy manager attempting to access locations
Given I've log in as a user without the 'hierarchy manager' role
When I try to GET /locations
Then I am notified that I do not have access to that
More Examples:
| role | request_method | path |
| hierarchy manager | POST | /locations |
| hierarchy manager | PUT | /locations/1 |
| hierarchy manager | DELETE | /locations/1 |
etc ....
The "Then" step ensures that the user is redirected to an access
denied page. Granted, this doesn't go the granularity you may be
trying to get at, but knowing you aren't actually getting through to
the underlying action (by being redirected to the access denied page)
has worked well for me,
Zach
On Fri, Jan 16, 2009 at 3:25 PM, James Byrne <[email protected]> wrote:
> Pat Maddox wrote:
>
>> I assume you don't though, cause that'd be kinda weird. How about
>> passing it in the POST params:
>>
>> put users_url(user), :user => {:administrator => true}
>>
>> Something along those lines...
>
> That is the problem, I am not sure what syntax to use int the step
> definition. I tried this:
>
> visits "#{edit_user_path}?user[administrator]=1"
>
> Which produces the same type of url that the RoR security guide uses in
> its examples:
>
> http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
>
> Whereas I generate
>
> HTTP headers
> {"HTTP_REFERER"=>"http://www.example.com/account/edit?user[administrator]=1"}
>
> But this URL attack does not seem to work as advertised. The key
> "administrator" does not make it into the params hash:
>
> 200 OK [http://www.example.com/account/edit?user[administrator]=1]
> REQUESTING PAGE: POST /account with {
> "user"=>{
> "name_middle"=>"Middle-myuser",
> "password_confirmation"=>"",
> "username"=>"myuser",
> "password"=>"",
> "email"=>"[email protected]",
> "name_first"=>"First-myuser",
> "name_last"=>"Last-myuser"},
> "commit"=>"Update",
> "_method"=>"put"}
>
> I realize this is a silly thing to ask, but how do you do this for
> testing?
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> rspec-users mailing list
> [email protected]
> http://rubyforge.org/mailman/listinfo/rspec-users
>
--
Zach Dennis
http://www.continuousthinking.com
http://www.mutuallyhuman.com
_______________________________________________
rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users
