[rspec-users] Testing arbitrary post action parameters

James Byrne lists at ruby-forum.com
Fri Jan 16 16:58:57 EST 2009

Zach Dennis wrote:
> The "Then" step ensures that the user is redirected to an access
> denied page.  Granted, this doesn't go the granularity you may be
> trying to get at, but knowing you aren't actually getting through to
> the underlying action (by being redirected to the access denied page)
> has worked well for me,

I am already testing for that.  What I am trying to accomplish now is to 
find a malevolently crafted URL that will trigger the 
users_controller/update action with arbitrary contents in the params 
hash.  Once I have one that "works" then we will code the 
model/controller to prevent it.

I have gotten to the point where I believe that the url has to look 
somewhat like this:


Where some_action is one of account, edit, update or nothing. I cannot 
yet determine which is the case.

Regardless, I cannot seem to find a way to push this to the controller 
as a POST, which is apparently what the controller needs, from either a 
step definition or a browser.
Posted via http://www.ruby-forum.com/.

More information about the rspec-users mailing list