I'm diving into testing frameworks for about the first time, and I have problems to know what kind of test to implement for security functionnalities. Suppose a basic blog application where only an authorized user can create new posts.
For the "Posts" tests, should the fact that only authorized user can create a new post be tested by cucumber in a feature, or in rspec with the controller_spec? I know both can be done, but testing that in a cucumber feature seems a bit overkill, isn't it?
To me, it seems that "Guests should not be able to create new posts" is not a feature but a limitation of the system, so it should not be a cucumber feature but rather an rspec test. In the end application, there won't be a link from the guests pages to the "create post" feature, so what I am really testing is they don't input the URL /posts/new
.
Is my understanding right?