我正在使用rspec,黄瓜和水豚,我正在寻找一种方法来测试恶意用户无法破解表单然后发布到他/她没有权限的网址.我在cancan中设置了我的权限,这样"应该"可以工作,但是,我可以测试它的唯一方法是自己黑客攻击表单.
如何自动进行此类测试?有了webrat,我可以在rspec的单元测试中做到这一点
put :update, :user_id => @user.id, :id => @user_achievement.id
response.should contain("Error, you don't have permission to access that!")
然而,在水豚中,访问只是看起来似乎.我找不到办法做到这一点,我已经google了无处不在.
任何帮助将不胜感激,谢谢
我form_for在我的视图帮助器中创建了一个允许一个用户从组中提升另一个用户的操作.
def promote_button_for(group, user)
membership = group.get_membership( user )
form_for membership, :url => group_membership_path( group, membership ) do |f|
f.hidden_field :group_creator
hidden_field_tag 'test', '1'
f.submit( "Promote", :onclick => "return confirm(\"Are you sure you want to promote #{user.email} to an officer?\")" )
end
end
当我通过按钮提交表单时,我似乎没有将任何隐藏的字段参数发送到控制器.
Started POST "/groups/1/memberships/6" for 127.0.0.1 at 2011-02-01 01:45:32 -0600
Processing by MembershipsController#update as HTML
Parameters: {"utf8"=>"?", "authenticity_token"=>"VQl/rVX8OVOETv2HE7KtopUc3B19ShoMkUhjJwNlaZs=", "commit"=>"Promote", "group_id"=>"1", "id"=>"6"}
生成的Html看起来像:
<form accept-charset="UTF-8" action="/groups/1/memberships/6" class="edit_membership" id="edit_membership_6" method="post">
<div style="margin:0;padding:0;display:inline">
<input name="utf8" type="hidden" value="✓" /> …