rspec users - May 2009 - Where to spec authentication and roles-based permissions?

On 8 May 2009, at 10:33, doug livesey wrote:
> Hi -- I''m writing an app that both requires authentication via a  
> logon, and also has roles-based permissions (using acl_system2), and  
> was wondering where to verify that both are happening.
> I''ve started out putting them in a special cucumber feature for  
> authentication & permissions, but this is becoming a real drag, as  
> I''m writing a scenario for each case (anonymous, lacking  
> permissions, permitted) by each controller action.
> Can anyone advise me on a better way to organise this?
Have you seen Scenario Outlines? I think this is exactly kind of stuff  
that should be surfaced in a Cucumber test, but you need to organise  
your steps to facilitate that. Tools like Scenario Outline really help.

Matt Wynne
http://blog.mattwynne.net
http://www.songkick.com

On Fri, May 8, 2009 at 5:33 AM, doug livesey <biot023 at gmail.com>
wrote:
> Hi -- I''m writing an app that both requires authentication via a
logon, and
> also has roles-based permissions (using acl_system2), and was wondering
> where to verify that both are happening.
> I''ve started out putting them in a special cucumber feature for
> authentication & permissions, but this is becoming a real drag, as
I''m
> writing a scenario for each case (anonymous, lacking permissions,
permitted)
> by each controller action.
> Can anyone advise me on a better way to organise this?
>
> Would it be possible to write a security feature for each controller, with
> scenarios for each action? Maybe like this:
> ? Scenario: Different users trying the index
> ? ? Given user is not logged in
> ? ? When I go to the controller-a index
> ? ? Then I should see "Access Denied"
> ? ? Given basic user is logged in
> ??? When I go to the controller-a index
> ? ? Then I should see "Insufficient Permissions"
> ??? Given super user is logged in
> ? ? When I go to the controller-a index
> ??? Then I should see "Welcome, my lord"
>
> Any advice is very appreciated -- as you can probably tell, this is getting
> messy!
I went down the route of using Scenario Outlines for this, and it
still became messy. There are simply too many cases to cover and the
tables you build up become long and redundant. After a while they all
look start to blur together and look alike. I think these kind of
things belong in controller specs where you can be confident resources
are being protected, but you can also extract out nice little macros.
For example, you might end up with:

desribe PeopleController, "GET index" do
   should_allow_logged_in_access_to :superuser
end

You could use a convention of the controller description to determine
the method and the action to hit, or you could parametrize your macro:

    should_allow_logged_in_access_to :get, :index, :roles => [:superuser]

I''d recommend not specifying the roles that are denied since if you
had one you''d have to do potentially change every controller spec in
your app. Rather I''d have the macro try a non-allowed role to ensure
it didn''t work for other roles.

In the Rails Controllers chapter in The RSpec Book there is a section
on extracting out a should_require_login macro which walks through
step by step the same technique I''d use for writing the macro you
want.

> Cheers,
> ?? Doug.
>
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>


-- 
Zach Dennis
http://www.continuousthinking.com (personal)
http://www.mutuallyhuman.com (hire me)
@zachdennis (twitter)

Doug Livesey wrote:
> Hi -- I''m writing an app that both requires authentication via a
logon,
> and also has roles-based permissions (using acl_system2), ...
I am at the point where a more complete authorisation system is required 
and I was wondering what others here would suggest for implementation. 
I am looking at both acl9 and declarative_authorization.  However, if 
there are any alternatives to these that people feel strongly about I 
would like to hear of them.

I am leaning towards declarative_authorization but acl9 seems very 
attractive as well.  Any comments on either of these or alternatives?
-- 
Posted via http://www.ruby-forum.com/.