[rspec-users] How should you make sure the user is not authenticated

Stephen Eley sfeley at gmail.com
Mon Jul 27 13:44:20 EDT 2009

On Mon, Jul 27, 2009 at 12:39 PM, Marcelo de Moraes
Serpa<celoserpa at gmail.com> wrote:
> So, it is not a matter of "checking the user is not authenticated",
> but of "setting the ground and making sure the user is not
> authenticated", which of course, means loggin out the user on this
> given step to make sure it is really not-authenticated.

Yes, but POSTing to a logout action seems like overkill.  If a Web
request to a controller action is strictly required, your controllers
are probably doing too much.

The right answer depends on what "authentication" means in the context
of your app.  In most modern Rails authentication solutions there's a
concept of a session, and logging out means getting rid of that
session.  I like AuthLogic because it's simple; the session itself is
a model, and you can treat it as such:

    Given "I am not authenticated" do
      current_session.destroy if current_session

Tweak based on whatever methods/helpers/etc. you're using to track the
current session.    In restful_authentication, there's a
logout_killing_session! method in the library file, which wraps some
loose code to forget cookies and such.

Have Fun,
   Steve Eley (sfeley at gmail.com)
   ESCAPE POD - The Science Fiction Podcast Magazine

More information about the rspec-users mailing list