[rspec-users] Testing arbitrary post action parameters

James Byrne lists at ruby-forum.com
Fri Jan 16 15:25:50 EST 2009


Pat Maddox wrote:

> I assume you don't though, cause that'd be kinda weird.  How about
> passing it in the POST params:
> 
> put users_url(user), :user => {:administrator => true}
> 
> Something along those lines...

That is the problem, I am not sure what syntax to use int the step 
definition. I tried this:

  visits "#{edit_user_path}?user[administrator]=1"

Which produces the same type of url that the RoR security guide uses in 
its examples:

http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1

Whereas I generate

 HTTP headers 
{"HTTP_REFERER"=>"http://www.example.com/account/edit?user[administrator]=1"}

But this URL attack does not seem to work as advertised.  The key 
"administrator" does not make it into the params hash:

200 OK [http://www.example.com/account/edit?user[administrator]=1]
REQUESTING PAGE: POST /account with {
"user"=>{
 "name_middle"=>"Middle-myuser",
 "password_confirmation"=>"",
 "username"=>"myuser",
 "password"=>"",
 "email"=>"myuser at example.com",
 "name_first"=>"First-myuser",
 "name_last"=>"Last-myuser"},
 "commit"=>"Update",
 "_method"=>"put"}

I realize this is a silly thing to ask, but how do you do this for 
testing?

-- 
Posted via http://www.ruby-forum.com/.


More information about the rspec-users mailing list