[rspec-users] Testing arbitrary post action parameters

Pat Maddox pergesu at gmail.com
Fri Jan 16 13:12:45 EST 2009

On Fri, Jan 16, 2009 at 10:00 AM, James Byrne <lists at ruby-forum.com> wrote:
> I am working on our (newly renamed) authentication feature.  The current
> scenario is:
>  Scenario: Non-administrators should not set administrator ability
>    Given I have no users
>      And I add a user named "admin" as an administrator
>      And I add a user named "myuser" as not an administrator
>    When the user named "myuser" authenticates
>      And the user enables the administrator role
>    Then the user named "myuser" should not be an administrator
> Now, what I am looking for is an example of how an authenticated user
> would craft a post request in their browser to set the
> user.administrator flag to true.
> Crafting these sorts of http requests may be obvious and simple to some
> of you, but I have no clue how this is done.

Well, do you have a "set administrator" button?  Use webrat to click
it if you do.

I assume you don't though, cause that'd be kinda weird.  How about
passing it in the POST params:

put users_url(user), :user => {:administrator => true}

Something along those lines...

> On some lists, asking questions on how to breach security are themselves
> a breach of list etiquette.  If this is the case here then I ask your
> indulgence and the favour of a private reply if that is deemed more
> suitable.  I do require the information though, since I have to defend
> against it.

Asking how to test a security feature that you're building is very
different from asking how to hack somebody's site :)


More information about the rspec-users mailing list