我正在尝试编写一些黄瓜测试以确保正确设置 cancan 权限,但我遇到了一个奇怪的问题:
当我通过以下代码登录时,水豚说我已经按预期登录了。但是,当我转到需要给定登录名的资源时,我收到 CanCan 的“未授权”消息。Capybara 在同一个“拒绝访问”页面上打印出“以 testsuperadmin 身份登录,角色为 superadmin”(所需角色)。
手动访问同一页面,而不是通过黄瓜/水豚,授权被授予并且一切正常。身份验证由设计处理。
我尝试在场景上方添加 @allow-rescue 并将 ActionController::Base.allow_rescue = true 添加到 features/support/env.rb - 两者都没有任何效果。
有什么建议么?这个真的把我难住了。
干杯...
#app/models/ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
if user.role? :superadmin
can :manage, :all
elsif user.role? :admin
can :manage, [Broker, User]
elsif user.role? :staff
can :manage, Broker
elsif user.role? :broker
can :manage, Broker, :user_id => user.id
can :read, Broker
elsif user.role? :customer
can :manage, User, :id => user.id
else can :read, [Broker]
end
end
end
# features/brokers.feature
@allow-rescue
Scenario: Successfully create Broker
Given I am logged in as "testsuperadmin" with password "testpassword"
When I go to the create broker page
Then show me the page # Authorization denied here, but signed in successfully if this line moved between "Given I am logged in" ... and "When I go to to create broker page"
......
# features/steps/devise_steps.rb
Given /^I am logged in as "([^\"]*)" with password "([^\"]*)"$/ do |username, password|
#visit path_to(sign in page)
visit "/users/sign_out"
visit "/users/sign_in"
fill_in("user[username]", :with => username)
fill_in("user[password]", :with => password)
click_button("Sign in")
end
# app/controllers/brokers_controller.rb
class BrokersController < ApplicationController
load_and_authorize_resource
# ...
def new
@broker = Broker.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @broker }
end
end