tags:

views:

583

answers:

2
+1  Q: 

How to best write an RSpec custom matcher to test access control in a Rails app

OK, so instead of writing a whole bunch of access control specs, and duplicating them across many of my spec files, I'm looking to create a custom matcher. So instead of this:

describe "access control" do
  it "should prevent access by non-logged-in users"
  it "should prevent access by normal users"
  it "should prevent access by editor users"
  it "should prevent access by admin users"
  it "should allow access by super admin users"
end

I want do something like this:

lambda do
  get :index
end.should have_access_control(:allowed => [:super_admin], :disallowed => [:admin, :editor, :user])

Are there any examples or suggestions of how I can go about doing something like this?

+2  A: 

OK, I have found a method of achieving this, though it doesn't use a custom matcher. Include the following code in your spec_helper.rb:

def access_control (code, options={})
  options = {:allow => [], :disallow => []}.merge(options)

  options[:allow].each do |user|
    it "#{code} should allow #{user.to_s}" do
      login_as(user)
      eval code
      response.should_not redirect_to(login_path)
    end
  end

  options[:disallow].each do |user|
    it "#{code} should disallow #{user.to_s}" do
      login_as(user)
      eval code
      response.should redirect_to(login_path)
    end
  end
end

And call it as follows:

access_control("get :index", {:allow => [:super_admin], :disallow => [:quentin, :admin]})

You can then use it to build up a complete list of methods that should be restricted, and the users to which they are restricted to.

Mr. Matt  2008-10-14 10:03:37
A: 

I disagree with your solution. Tests shouldn't be an area to factor out duplication like this. It makes the tests harder to read and harder to maintain. Also, there's certainly an argument to be made that duplication in tests can inform your design.

In the initial example you listed, there are 5 different contexts that should each be tested in isolation and able to be understood at a glance. Your solution, while neat, harms these two goals.

nakajima  2009-01-01 23:27:58
That's be fine if the function obfuscated the intent of the test, however, the function produces separate test cases for each intent so that, on failure, each failing test is detailed separately.
Mr. Matt  2009-01-11 18:32:11
Furthermore, the function call is far more concise (instead of having six lines per role per action bulking up the spec).
Mr. Matt  2009-01-11 18:32:45

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.