rspec users - May 2010 - survey: roles in controller specs

I have a bit of a question on how people are organizing their controller
specs, once you take user roles into account.  I''m not entirely sure
that
I''ve found a way to do it that feels "natural" to me.

So, say I''ve got a controller that I want to ensure is locked down to a
particular set of users.  I can''t decide how the layer the
describes/contexts:

describe PostsController do

  context "as a normal user" do
    before { logged_in }
    describe "POST create" do
      it "is forbidden" do
        post :create, :post => {}
        response.should be_forbidden
      end
    end

   ... Other specs ....

  end

  context "as an editor" do
    before { logged_in.with_role :editor }

    describe "POST create" do
       ...
    end
end

This is the direction that the flow of the language seems right to me, when
it''s dumped in the specdocs -- "PostsController, as a normal user
POST
create is forbidden", but from another standpoint, it breaks up the
specification of a single method into a couple of different locations in the
file, and may require duplicating quite a bit of setup.

How does everyone else deal with this?

-- 
// anything worth taking seriously is worth making fun of
// http://blog.devcaffeine.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/rspec-users/attachments/20100511/3b08d8c0/attachment.html>

Chris Flipse wrote:
> I have a bit of a question on how people are organizing their controller
> specs, once you take user roles into account.  I''m not entirely
sure
> that I''ve found a way to do it that feels "natural" to
me.
<snip />
> This is the direction that the flow of the language seems right to me,
> when it''s dumped in the specdocs -- "PostsController, as a
normal user
> POST create is forbidden", but from another standpoint, it breaks up
the
> specification of a single method into a couple of different locations in
> the file, and may require duplicating quite a bit of setup.
>
> How does everyone else deal with this?
I tend to organize these specs by permissions, not roles. Instead of 
checking what a normal user can do or an editor can do, I simply assume 
that everyone can create a post (no spec required) except those who 
should not be permitted, for which I write a spec. All my authorization 
specs are of the form "<role> is not permitted to do
<action>" and I
organize them by action.
-- 
J. B. Rainsberger :: http://www.jbrains.ca ::
http://www.thecodewhisperer.com