StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIs there a better way to test :admin security
primarykey
Id
14618302
data
AcceptedAnswerId
14618858
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-01-31T04:07:38.870
FavoriteCount
0
LastActivityDate
2013-01-31T05:06:53.630
LastEditDate
LastEditorUserId
0
OwnerUserId
1384398
ParentId
0
PostTypeId
1
Score
1
ViewCount
372
LastEditorDisplayName
text
Body
I am going through Hartl's Rails Tutorial. I'm up to the first exercise of 9.6, where he asks me to test that the User <code>admin</code> attribute isn't accessible. The justification is earlier in the book: After <a href="http://ruby.railstutorial.org/book/ruby-on-rails-tutorial#code-attr_accessible_review" rel="nofollow">Listing 9.42</a>, Hartl's Rails Tutorial says <blockquote> If we omitted the attr_accessible list in the User model (or foolishly added :admin to the list), a malicious user could send a PUT request as follows: <code>put /users/17?admin=1</code> </blockquote> The corresponding exercise (<a href="http://ruby.railstutorial.org/book/ruby-on-rails-tutorial#sec-updating_deleting_exercises" rel="nofollow">exercise 9.6.1</a>) in the tutorial says <blockquote> add a test to verify that the User admin attribute isn’t accessible </blockquote> I have completed that test with this code in <code>user_spec.rb</code>: <pre><code>expect do @user.update_attributes(:admin => true) end.to raise_error(ActiveModel::MassAssignmentSecurity::Error) </code></pre> But I used stackoverflow to get that test. This was my original idea (in <code>user_pages_spec.rb</code>): <pre><code>expect do put user_path(user) + "?admin=1" end.to raise_error(ActiveModel::MassAssignmentSecurity::Error) # or some other error </code></pre> But I couldn't get it to work. So my questions are: <ol> <li>Is my idea possible? Isn't it better to test directly for what a potential hacker might do from the command line? Isn't that the idea of Capybara, testing user actions?</li> <li>If it is possible, is there a difference between testing mass assignment and testing the PUT action?</li> <li>If it isn't possible, why? Is it just not necessary or am I missing something here?</li> </ol>
Tags
<ruby-on-rails><railstutorial.org>
Title
Is there a better way to test :admin security
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USLindsayts
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POIs there a better way to test :admin security
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.