[rspec-users] Testing arbitrary post action parameters

Zach Dennis zach.dennis at gmail.com
Fri Jan 16 16:24:44 EST 2009

In the past we've done the following:

Story: Users without hierarchy manager role accessing the hierarchy

  In order to ensure users that shouldn't have access to the hierarchy don't
  As a user who isn't a hierarchy manager
  I should not be able to access the hierarchy

  Scenario: Non hierarchy manager attempting to access locations
    Given I've log in as a user without the 'hierarchy manager' role
    When I try to GET /locations
    Then I am notified that I do not have access to that

    More Examples:
    | role              | request_method | path          |
    | hierarchy manager | POST           | /locations    |
    | hierarchy manager | PUT             | /locations/1  |
    | hierarchy manager | DELETE       | /locations/1  |
    etc ....

The "Then" step ensures that the user is redirected to an access
denied page.  Granted, this doesn't go the granularity you may be
trying to get at, but knowing you aren't actually getting through to
the underlying action (by being redirected to the access denied page)
has worked well for me,


On Fri, Jan 16, 2009 at 3:25 PM, James Byrne <lists at ruby-forum.com> wrote:
> Pat Maddox wrote:
>> I assume you don't though, cause that'd be kinda weird.  How about
>> passing it in the POST params:
>> put users_url(user), :user => {:administrator => true}
>> Something along those lines...
> That is the problem, I am not sure what syntax to use int the step
> definition. I tried this:
>  visits "#{edit_user_path}?user[administrator]=1"
> Which produces the same type of url that the RoR security guide uses in
> its examples:
> http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
> Whereas I generate
>  HTTP headers
> {"HTTP_REFERER"=>"http://www.example.com/account/edit?user[administrator]=1"}
> But this URL attack does not seem to work as advertised.  The key
> "administrator" does not make it into the params hash:
> 200 OK [http://www.example.com/account/edit?user[administrator]=1]
> REQUESTING PAGE: POST /account with {
> "user"=>{
>  "name_middle"=>"Middle-myuser",
>  "password_confirmation"=>"",
>  "username"=>"myuser",
>  "password"=>"",
>  "email"=>"myuser at example.com",
>  "name_first"=>"First-myuser",
>  "name_last"=>"Last-myuser"},
>  "commit"=>"Update",
>  "_method"=>"put"}
> I realize this is a silly thing to ask, but how do you do this for
> testing?
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users

Zach Dennis

More information about the rspec-users mailing list