Marcelo de Moraes Serpa
2009-Jul-27 16:39 UTC
[rspec-users] How should you make sure the user is not authenticated
Hey list! Let''s say I have a user story for authentication/login. I have seen many cucumber scenarios like this: Scenario: User logs in succesfully Given I am not authenticated When I go to the login page ...>From what I have seen, the Given steps that check that the user is notauthenticated, simply post to a logout action. I have seen others, such as directly checking the session for the user id, even though I IMHO it is not best practice, since the Given steps are for setting state for the rest of the steps (right?), and this would simply check for something, and the test would brake if so. So, it is not a matter of "checking the user is not authenticated", but of "setting the ground and making sure the user is not authenticated", which of course, means loggin out the user on this given step to make sure it is really not-authenticated. The only thing I think could go wrong is that some log-out algorithms could fail if you try to logout when already logged-out. Anyway, just sharing my thoughts, would love to know what others in the list think about that, Marcelo.
Stephen Eley
2009-Jul-27 17:44 UTC
[rspec-users] How should you make sure the user is not authenticated
On Mon, Jul 27, 2009 at 12:39 PM, Marcelo de Moraes Serpa<celoserpa at gmail.com> wrote:> > So, it is not a matter of "checking the user is not authenticated", > but of "setting the ground and making sure the user is not > authenticated", which of course, means loggin out the user on this > given step to make sure it is really not-authenticated.Yes, but POSTing to a logout action seems like overkill. If a Web request to a controller action is strictly required, your controllers are probably doing too much. The right answer depends on what "authentication" means in the context of your app. In most modern Rails authentication solutions there''s a concept of a session, and logging out means getting rid of that session. I like AuthLogic because it''s simple; the session itself is a model, and you can treat it as such: Given "I am not authenticated" do current_session.destroy if current_session end Tweak based on whatever methods/helpers/etc. you''re using to track the current session. In restful_authentication, there''s a logout_killing_session! method in the library file, which wraps some loose code to forget cookies and such. -- Have Fun, Steve Eley (sfeley at gmail.com) ESCAPE POD - The Science Fiction Podcast Magazine http://www.escapepod.org
Matt Wynne
2009-Jul-28 08:38 UTC
[rspec-users] How should you make sure the user is not authenticated
On 27 Jul 2009, at 17:39, Marcelo de Moraes Serpa wrote:> Hey list! > > Let''s say I have a user story for authentication/login. > > I have seen many cucumber scenarios like this: > > Scenario: User logs in succesfully > > Given I am not authenticated > When I go to the login page > ... > >> From what I have seen, the Given steps that check that the user is >> not > authenticated, simply post to a logout action. I have seen others, > such as directly checking the session for the user id, even though I > IMHO it is not best practice, since the Given steps are for setting > state for the rest of the steps (right?), and this would simply check > for something, and the test would brake if so. > > So, it is not a matter of "checking the user is not authenticated", > but of "setting the ground and making sure the user is not > authenticated", which of course, means loggin out the user on this > given step to make sure it is really not-authenticated. The only thing > I think could go wrong is that some log-out algorithms could fail if > you try to logout when already logged-out. > > Anyway, just sharing my thoughts, would love to know what others in > the list think about that,My equivalent step is implemented like this: Given /I am not logged in/ do # of course you''re not logged in! end Don''t forget the session is thrown away for each scenario, so if you''re starting a new scenario you wont'' be logged in, by default. cheers, Matt +447974 430184 matt at mattwynne.net http://mattwynne.net
Marcelo de Moraes Serpa
2009-Jul-28 15:02 UTC
[rspec-users] How should you make sure the user is not authenticated
>My equivalent step is implemented like this: > >Given /I am not logged in/ do > # of course you''re not logged in! >end > > >Don''t forget the session is thrown away for each scenario, so if you''re starting a new scenario you wont'' be logged in, by default. > >cheers, >MattThank you all for the replies! @Stephen: Thanks for the tip, this seems like a good approach. @Matt: Unless you have a a background scenario that logs in the user for whatever reason :) But yeah, I was thinking to do something like this. Thanks, Marcelo. On Tue, Jul 28, 2009 at 3:38 AM, Matt Wynne<matt at mattwynne.net> wrote:> > On 27 Jul 2009, at 17:39, Marcelo de Moraes Serpa wrote: > >> Hey list! >> >> Let''s say I have a user story for authentication/login. >> >> I have seen many cucumber scenarios like this: >> >> Scenario: User logs in succesfully >> >> Given I am not authenticated >> When I go to the login page >> ... >> >>> From what I have seen, the Given steps that check that the user is not >> >> authenticated, simply post to a logout action. I have seen others, >> such as directly checking the session for the user id, even though I >> IMHO it is not best practice, since the Given steps are for setting >> state for the rest of the steps (right?), and this would simply check >> for something, and the test would brake if so. >> >> So, it is not a matter of "checking the user is not authenticated", >> but of "setting the ground and making sure the user is not >> authenticated", which of course, means loggin out the user on this >> given step to make sure it is really not-authenticated. The only thing >> I think could go wrong is that some log-out algorithms could fail if >> you try to logout when already logged-out. >> >> Anyway, just sharing my thoughts, would love to know what others in >> the list think about that, > > My equivalent step is implemented like this: > > Given /I am not logged in/ do > ?# of course you''re not logged in! > end > > > Don''t forget the session is thrown away for each scenario, so if you''re > starting a new scenario you wont'' be logged in, by default. > > cheers, > Matt > > +447974 430184 > matt at mattwynne.net > http://mattwynne.net > > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
r_j_h_box-sf at yahoo.com
2009-Jul-28 19:18 UTC
[rspec-users] How should you make sure the user is not authenticated
----- Original Message ----> From: Matt Wynne <matt at mattwynne.net>> Don''t forget the session is thrown away for each scenario, so if you''re starting > a new scenario you wont'' be logged in, by default.I wonder if that is true also when Webrat/Selenium or Celerity is involved? Randy