[rspec-users] restful_authentication's "permission_denied" and rspec

Nick Hoffman nick at deadorange.com
Sat Nov 22 13:38:53 EST 2008

On 2008-11-21, at 09:20, Ramon Tayag wrote:
> Hi everyone,
> WIth restful_authentication you get a method "permission_denied" that
> you just slap onto the controller when you don't want a user to gain
> access to something.  In this method Rails does a bunch of stuff then
> basically tries to be smart and redirects the user somewhere else.
> I want to test that this occurs given certain conditions but I don't
> know how to "should_receive" this or something.
> This definitely doesn't work but it should explain what I'm trying  
> to do:
> controller.should_receive(:permission_denied)
> How would I go about this?
> Thank you,
> Ramon Tayag

Hi Ramon. I use Authlogic rather than restful-authentication, but the  
premise should be the same. When I was writing my various controller  
authorisation specs, rather than writing specs for details such as  
"was #deny_access called?" or "was #admin_must_be_logged_in called?",  
I focussed on speccing behaviour.

For example, for the scenario that a logged-in user tries to access  
UsersController#destroy , I check that a flash message is set, and  
that they're redirected to their account page:

Now, that's not to say that method is the best way of speccing this.  
I'm sure others can chime in here.


More information about the rspec-users mailing list