[rspec-users] Testing arbitrary post action parameters
James Byrne
lists at ruby-forum.com
Fri Jan 16 16:58:57 EST 2009
Zach Dennis wrote:
>
>
> The "Then" step ensures that the user is redirected to an access
> denied page. Granted, this doesn't go the granularity you may be
> trying to get at, but knowing you aren't actually getting through to
> the underlying action (by being redirected to the access denied page)
> has worked well for me,
I am already testing for that. What I am trying to accomplish now is to
find a malevolently crafted URL that will trigger the
users_controller/update action with arbitrary contents in the params
hash. Once I have one that "works" then we will code the
model/controller to prevent it.
I have gotten to the point where I believe that the url has to look
somewhat like this:
http://www.example.com/users/2/<some_action>?user[administrator=1]&commit=Update&action=update&_method=put&controller=users
Where some_action is one of account, edit, update or nothing. I cannot
yet determine which is the case.
Regardless, I cannot seem to find a way to push this to the controller
as a POST, which is apparently what the controller needs, from either a
step definition or a browser.
--
Posted via http://www.ruby-forum.com/.
More information about the rspec-users
mailing list