My favorites | Sign in
Project Home Downloads Wiki Issues
Search
for
TestingRoleRequirement  
Updated Feb 4, 2010 by timchar...@gmail.com

Overview

Adding Functional tests to your controllers to test your authentication is easy and powerful with the RoleRequirementTestHelper.

RoleRequirement uses a special "hijacking" approach to test your controllers, to provide the most accurate testing. It removes the target controller action, puts it aside, and puts its own "stub" method in place. Then, it executes the request right through the controller using "get", to checks to see if the action's code was actually called or not. Then, after the test, it puts the original method back in place and everything as was.

This approach to testing provides a more realistic and reliable method of telling whether or not your controller security is working.

Steps

  • Include both the following in your test_helper.rb file: 
    • require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
require 'test_help'

class Test::Unit::TestCase
...
  include AuthenticatedTestHelper      # You may have already included this
  include RoleRequirementTestHelper
...
end
  • Add and create fixtures :users, :roles, and :users_roles (if you are not using a seperate roles table, you can ignore :roles and :users_roles in the rest of these examples). Click here for an example
  • Include all user and/or role fixtures to your test controller 
    • class Admin::ListingsControllerTest < Test::Unit::TestCase
  fixtures :users, :roles, :roles_users
...

end
  • Start using the assertions
    • Here are some examples: 
      •   # :quentin is the label for a fixture in users.yml, with no admin access
  assert_user_can_access(:quentin, "index")
  assert_user_cant_access(:quentin, "destroy", :listing_id => 1)

  # :admin is a user as well, but has the "admin" role.
  assert_user_can_access(:admin, "destroy", :listing_id => 1)
      • Here's a more DRY approach 
        •     assert_users_access(
      {:admin => true, :quentin => false},   # admin can access, but quentin can't
      "destroy",                             # test the destroy action
      :listing_id => 1                       # in each test, pass listing_id = 1 to params
    )
Comment by sean.sch...@gmail.com, Aug 7, 2007

should read fixtures :users, :roles, :roles_users

Comment by project member timchar...@gmail.com, Aug 9, 2007

good catch, thanks.

Comment by briankl...@gmail.com, Nov 9, 2007

Tim,

I installed this in an app where we have 'UserAccount?' instead of 'User'. Your code is looking for 'current_user', but AuthenticatedSystem is using 'current_user_account' for the current user.

I fixed this with the following hack in ApplicationController?:

def current_user

current_user_account
end

Please update your code for non-standard installations by changing the method call in RoleRequirement to match the "user" class name or generate my hack above into ApplicationController?.

Otherwise, good job!

Comment by Craig.Bu...@gmail.com, Apr 27, 2008

Has anyone done testing of RoleRequirement with RSpec?

Comment by jacksene...@gmail.com, Jan 8, 2010

I found a strange quirk that cost me several hours today... I'm using the role_requirement and restful_authentication plugins together. In one particular functional test file, when I called "login_as :admin", it failed because the admin user didn't seem to have the admin role. I discovered this was because I was unnecessarily including the :roles and :roles_users fixtures, when all I needed was :users. Strangely, it worked just fine when I ran the test file by itself, and only complained when I ran it with other test files that included the :users fixture.

Comment by dimianst...@gmail.com, May 4, 2010

>> Has anyone done testing of RoleRequirement with RSpec?

@current_user = mock_model(User, :id => 1) controller.stub!(:current_user).and_return(@current_user) @current_user.stub(:has_role?).and_return(true)


Sign in to add a comment
Powered by Google Project Hosting