[rspec-users] Testing arbitrary post action parameters

James Byrne lists at ruby-forum.com
Fri Jan 16 13:00:36 EST 2009

I am working on our (newly renamed) authentication feature.  The current
scenario is:

  Scenario: Non-administrators should not set administrator ability
    Given I have no users
      And I add a user named "admin" as an administrator
      And I add a user named "myuser" as not an administrator
    When the user named "myuser" authenticates
      And the user enables the administrator role
    Then the user named "myuser" should not be an administrator

Now, what I am looking for is an example of how an authenticated user
would craft a post request in their browser to set the
user.administrator flag to true.

Crafting these sorts of http requests may be obvious and simple to some
of you, but I have no clue how this is done.

On some lists, asking questions on how to breach security are themselves
a breach of list etiquette.  If this is the case here then I ask your
indulgence and the favour of a private reply if that is deemed more
suitable.  I do require the information though, since I have to defend
against it.
Posted via http://www.ruby-forum.com/.

More information about the rspec-users mailing list