[rspec-users] Testing arbitrary post action parameters

James Byrne lists at ruby-forum.com
Fri Jan 16 16:58:57 EST 2009


Zach Dennis wrote:
>
> 
> The "Then" step ensures that the user is redirected to an access
> denied page.  Granted, this doesn't go the granularity you may be
> trying to get at, but knowing you aren't actually getting through to
> the underlying action (by being redirected to the access denied page)
> has worked well for me,


I am already testing for that.  What I am trying to accomplish now is to 
find a malevolently crafted URL that will trigger the 
users_controller/update action with arbitrary contents in the params 
hash.  Once I have one that "works" then we will code the 
model/controller to prevent it.

I have gotten to the point where I believe that the url has to look 
somewhat like this:

   http://www.example.com/users/2/<some_action>?user[administrator=1]&commit=Update&action=update&_method=put&controller=users

Where some_action is one of account, edit, update or nothing. I cannot 
yet determine which is the case.

Regardless, I cannot seem to find a way to push this to the controller 
as a POST, which is apparently what the controller needs, from either a 
step definition or a browser.
-- 
Posted via http://www.ruby-forum.com/.


More information about the rspec-users mailing list