Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
A shared example for testing blacklists in controller security.
class SecurityHelper
def self.action_names(controller, opts = {})
actions = controller.class.public_instance_methods(false).reject{|a| a.to_s.starts_with? '_'}
actions - Array(opts[:except])
end
def self.create_insecure_user(opts = {})
roles = User.available_roles - Array(opts[:allowed_roles]).map(&:to_s)
FactoryGirl.create :user, roles: roles
end
end
shared_examples "a secure controller" do |opts = {}|
let(:actions) { SecurityHelper.action_names(controller, opts) }
let(:insecure_user) { SecurityHelper.create_insecure_user(opts) }
context "without authenticated user" do
it "doesn't allow access without signing in" do
sign_out :user
actions.each do |action|
get action.to_sym, id: ''
response.should redirect_to new_user_session_url
end
end
it "denies access to non-allowed roles" do
actions.each do |action|
sign_in insecure_user
get action.to_sym, id: ''
response.should redirect_to '/'
end
end
end
end
#############################
## SUPPORT CONTROLLER HELP
#############################
shared_examples "a secure support controller" do |controller, opts = {}|
include_examples "a secure controller", {allowed_roles: [:support]}.merge(opts)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment