Reputation: 1429
Testing specific post requests (form hacking, permissions protection) with capybara
I just updated a rails app bundle from capybara 2.0.0.beta2 to the current 2.0.1 version. (Just happened to be on the beta still.) I also updated Rspec from 2.11.0 to 2.12.0 to be compatible with some changes to how url helpers are included.
Before this update I had a few tests verifying things like non-admin users not being able to create new users and similar permission/form hacking basics. I also have specs to verify that mass assignment attacks are covered. It was fairy easy and worked well but is now broken for me.
context "non-admin users can" do
before(:each) do
login_as_user
end
it "Not create new users" do
page.driver.post users_path, { :params => {
user_name: "user1",
user_email: "[email protected]",
user_password: "124mgldkg3",
user_role: "user"
} }
page.status_code.should be 302
end
end
It statements that only try to go (visit) somewhere unauthorised work just fine but I can not longer do a manipulated post of a form that this kind of user should not be allowed to post. I now get a 404 for any and all of these requests.
I am not at all sure what has changed in Capybara and/or Rspec. It could certainly be some small details that causes my request to "fall out of context". What it looks like is that the request is performed without the same session and request context as visit's and form posts.
I'd like to:
- post using custom parameters and not a form visible to the user.
- still be in the existing session and request context (sub-domain...)
I haven't found a replacement technique. I started down the Rack::Test path but then I am definitely back at square 1 with out a login or a session.... which to be indicated that there probably is some way to check these common hacking attempts without manually setting up all the session context stuff capybara handles for me.
Upvotes: 3
Views: 623
Answers (1)
Reputation: 1429
After digging in Capybaras internals I found that the current working way to perform a custom post request is to do the following:
context "User class users can" do
before(:each) do
login_as_user
end
it "Not create new users" do
page.driver.browser.reset_host! # just to be safe
page.driver.browser.process(:post, users_path, { params: {
user_name: "user1",
user_email: "[email protected]",
user_password: "124mgldkg3",
user_role: "user"
}})
page.status_code.should be 302
end
end
This is equivalent in behaviour to my original code (above in the question).
Upvotes: 3
Related Questions
- Request in Capybara a GET, when it should be a POST
- How to test post request and follow redirects with capybara?
- Testing a Rails controller action with RSpec’s post method
- Testing POST request to Posts controller
- after_request in capybara (in rspec)?
- Stubbing an api request from a form on my site when testing
- Determining Form Submission with RSpec/Capybara
- rspec/capybara: how to simulate incoming POST requests? (rack-test won't work)
- Can't test a post request in rspec and rails
- How to test posts in Rails / Capybara / Cucumber or Rspec