On Mon, Jan 17, 2011 at 9:48 AM, Ants Pants <[email protected]>wrote:
> Hello all,
>
> From what I've seen, this type of question doesn't really seem to get an
> answer on this list as most of the replies relate to failures of RSpec. If
> this is the case, where is the best place to go to get advice about best
> practices etc?
>
> I have a question about best practice. In some of my controllers only an
> admin user can perform edit, update, show etc. So I have a before filter in
> those controllers; ApplicationController#authorise_is_admin
>
> The ApplicationController#authorise_is_admin throws an AccessDenied
> exception and that is caught in ApplicationController#access_denied
>
> My question is, in the spec for the calling controller, let's say
> ProductGroups, what should I spec?
>
> I have a context "user is admin" and that's easy to spec, but the context
> "user is not admin" is where I'm stuck as no actions are performed in that
> controller but I would just like to cover that failure somehow.
>
> Interesting question. I had the same dilemma and decided that it took too
much effort and test code to test this at the controller level. What I do
(and this may or may not work for you depending on your apps security
needs), is to have an authorize method in the User model. It returns success
or failure based on the controller and action passed. The model looks
something like this:
def authorize(controller_name, action_name)
if self.role
current_role = self.role.name
else
# guest user is empty user
current_role = 'guest'
end
case controller_name
when 'activations'
if current_role != 'guest'
return set_autorize_failure_value("You are already logged in to the
system. If you are activating a new user please log out first and try
again.")
end
return authorize_success_message
when 'feedback_supports'
if current_role == 'guest' || current_role == 'sysadmin'
return set_autorize_failure_value(LOGIN_NOTICE)
end
return authorize_success_message
...
end
Then in the spec it is real easy:
describe "user authorization - guest role" do
it "is authorized to access certain pages only" do
user = User.new
user.authorize('activations', 'create')[:success].should == true
user.authorize('home', 'index')[:success].should == false
....
end
end
This might not be everyone's cup of tea and I am sure I can refactor and
make this less verbose, but what I like is having the 'dna' of all my access
rights app wide in one place.
> Any advice?
>
> Thanks in advance.
>
> -ants
>
> _______________________________________________
> rspec-users mailing list
> [email protected]
> http://rubyforge.org/mailman/listinfo/rspec-users
>
_______________________________________________
rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users
