Forum: RSpec Where to spec authentication and roles-based permissions?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Doug L. (Guest)
on 2009-05-08 13:44
(Received via mailing list)
Hi -- I'm writing an app that both requires authentication via a logon,
and
also has roles-based permissions (using acl_system2), and was wondering
where to verify that both are happening.
I've started out putting them in a special cucumber feature for
authentication & permissions, but this is becoming a real drag, as I'm
writing a scenario for each case (anonymous, lacking permissions,
permitted)
by each controller action.
Can anyone advise me on a better way to organise this?

Would it be possible to write a security feature for each controller,
with
scenarios for each action? Maybe like this:
  Scenario: Different users trying the index
    Given user is not logged in
    When I go to the controller-a index
    Then I should see "Access Denied"
    Given basic user is logged in
    When I go to the controller-a index
    Then I should see "Insufficient Permissions"
    Given super user is logged in
    When I go to the controller-a index
    Then I should see "Welcome, my lord"

Any advice is very appreciated -- as you can probably tell, this is
getting
messy!
Cheers,
   Doug.
Matt W. (Guest)
on 2009-05-08 17:19
(Received via mailing list)
On 8 May 2009, at 10:33, doug livesey wrote:

> Hi -- I'm writing an app that both requires authentication via a
> logon, and also has roles-based permissions (using acl_system2), and
> was wondering where to verify that both are happening.
> I've started out putting them in a special cucumber feature for
> authentication & permissions, but this is becoming a real drag, as
> I'm writing a scenario for each case (anonymous, lacking
> permissions, permitted) by each controller action.
> Can anyone advise me on a better way to organise this?

Have you seen Scenario Outlines? I think this is exactly kind of stuff
that should be surfaced in a Cucumber test, but you need to organise
your steps to facilitate that. Tools like Scenario Outline really help.

Matt W.
http://blog.mattwynne.net
http://www.songkick.com
Zach D. (Guest)
on 2009-05-08 17:39
(Received via mailing list)
On Fri, May 8, 2009 at 5:33 AM, doug livesey 
<removed_email_address@domain.invalid> wrote:
> scenarios for each action? Maybe like this:
>
> Any advice is very appreciated -- as you can probably tell, this is getting
> messy!

I went down the route of using Scenario Outlines for this, and it
still became messy. There are simply too many cases to cover and the
tables you build up become long and redundant. After a while they all
look start to blur together and look alike. I think these kind of
things belong in controller specs where you can be confident resources
are being protected, but you can also extract out nice little macros.
For example, you might end up with:

desribe PeopleController, "GET index" do
   should_allow_logged_in_access_to :superuser
end

You could use a convention of the controller description to determine
the method and the action to hit, or you could parametrize your macro:

    should_allow_logged_in_access_to :get, :index, :roles =>
[:superuser]

I'd recommend not specifying the roles that are denied since if you
had one you'd have to do potentially change every controller spec in
your app. Rather I'd have the macro try a non-allowed role to ensure
it didn't work for other roles.

In the Rails Controllers chapter in The RSpec Book there is a section
on extracting out a should_require_login macro which walks through
step by step the same technique I'd use for writing the macro you
want.


> Cheers,
>    Doug.
>
> _______________________________________________
> rspec-users mailing list
> removed_email_address@domain.invalid
> http://rubyforge.org/mailman/listinfo/rspec-users
>



--
Zach D.
http://www.continuousthinking.com (personal)
http://www.mutuallyhuman.com (hire me)
@zachdennis (twitter)
James B. (Guest)
on 2009-05-11 17:24
Doug L. wrote:
> Hi -- I'm writing an app that both requires authentication via a logon,
> and also has roles-based permissions (using acl_system2), ...

I am at the point where a more complete authorisation system is required
and I was wondering what others here would suggest for implementation.
I am looking at both acl9 and declarative_authorization.  However, if
there are any alternatives to these that people feel strongly about I
would like to hear of them.

I am leaning towards declarative_authorization but acl9 seems very
attractive as well.  Any comments on either of these or alternatives?
This topic is locked and can not be replied to.