0

I'm diving into testing frameworks for about the first time, and I have problems to know what kind of test to implement for security functionnalities. Suppose a basic blog application where only an authorized user can create new posts.

For the "Posts" tests, should the fact that only authorized user can create a new post be tested by cucumber in a feature, or in rspec with the controller_spec? I know both can be done, but testing that in a cucumber feature seems a bit overkill, isn't it?

To me, it seems that "Guests should not be able to create new posts" is not a feature but a limitation of the system, so it should not be a cucumber feature but rather an rspec test. In the end application, there won't be a link from the guests pages to the "create post" feature, so what I am really testing is they don't input the URL /posts/new.

Is my understanding right?

4

2 回答 2

2

Any user can try to hack your site, just by sending raw data to your application. You have to be prepared to that. I recommend you a testcase where you check, that if an unauthorized user tries to create a new post (posts/create) he gets an error screen, and no database entry is created. You can check this for the new action too, but it is not an input action, so it is a lesser mistake. Try to cover all actions which can't be used unauthorized, so no db action happens and the testcase result in an error page or something.

Actually the security of the page IS a feature, maybe not the most important for a blog app, but it matters. And not just for direct attack, but you must expect accidental tries, e.g. someone starts to write a post on one tab, and logs out on another.

The exact method is up to you, it think.

Update: I think you should use Rspec controller test.

于 2012-04-24T13:46:47.537 回答
1

Personally, I test my controllers with rspec to check user access. I create a couple of users in rspec's

before {}
with FactoryGirl, then log in with one of them and test that the other users can't access the current user's pages. This may take a bit of work to set up, but it's well worth it if you can test access security while you're creating your pages.

于 2012-04-24T14:18:04.603 回答