My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
    
Search
for
Updated Aug 09, 2007 by timcharper
TestingRoleRequirement  

Overview

Adding Functional tests to your controllers to test your authentication is easy and powerful with the RoleRequirementTestHelper.

RoleRequirement uses a special "hijacking" approach to test your controllers, to provide the most accurate testing. It removes the target controller action, puts it aside, and puts its own "stub" method in place. Then, it executes the request right through the controller using "get", to checks to see if the action's code was actually called or not. Then, after the test, it puts the original method back in place and everything as was.

This approach to testing provides a more realistic and reliable method of telling whether or not your controller security is working.

Steps

  • Include both the following in your test_helper.rb file: 
    • require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
require 'test_help'

class Test::Unit::TestCase
...
  include AuthenticatedTestHelper      # You may have already included this
  include RoleRequirementTestHelper
...
end
  • Add and create fixtures :users, :roles, and :users_roles (if you are not using a seperate roles table, you can ignore :roles and :users_roles in the rest of these examples). Click here for an example
  • Include all user and/or role fixtures to your test controller 
    • class Admin::ListingsControllerTest < Test::Unit::TestCase
  fixtures :users, :roles, :roles_users
...

end
  • Start using the assertions
    • Here are some examples: 
      •   # :quentin is the label for a fixture in users.yml, with no admin access
  assert_user_can_access(:quentin, "index")
  assert_user_cant_access(:quentin, "destroy", :listing_id => 1)

  # :admin is a user as well, but has the "admin" role.
  assert_user_can_access(:admin, "destroy", :listing_id => 1)
      • Here's a more DRY approach 
        •     assert_users_access(
      {:admin => true, :quentin => false},   # admin can access, but quentin can't
      "destroy",                             # test the destroy action
      :listing_id => 1                       # in each test, pass listing_id = 1 to params
    )

Comment by sean.schofield, Aug 07, 2007

should read fixtures :users, :roles, :roles_users

Comment by timcharper, Aug 09, 2007

good catch, thanks.

Comment by brianklong, Nov 09, 2007

Tim,

I installed this in an app where we have 'UserAccount?' instead of 'User'. Your code is looking for 'current_user', but AuthenticatedSystem is using 'current_user_account' for the current user.

I fixed this with the following hack in ApplicationController?:

def current_user

current_user_account
end

Please update your code for non-standard installations by changing the method call in RoleRequirement to match the "user" class name or generate my hack above into ApplicationController?.

Otherwise, good job!

Comment by Craig.Buchek, Apr 27, 2008

Has anyone done testing of RoleRequirement with RSpec?


Sign in to add a comment
Hosted by Google Code