There are two problems here that I think apply to different tests:
- A user cannot access a secure page without logging in. This is a controller check.
- The user is automatically registered even after the session has been destroyed, so the “remember me” flag was set in the cookie.
For # 1, you can try something like:
describe UsersController do context "when not logged in" do context "GET users/edit" do it "redirects to login" do get :edit, :id => 123 response.should redirect_to login_path end end end end
You can do a more general test case that claims all actions that are not explicitly specified, so you don’t have test spaces if the access code later becomes more permissive. But this is a more subtle point.
For # 2, you can write a request specification that sets the “remember me” flag, then logs out, then logs back in and verifies that you are on the expected page. Remove all of this from your browser by filling out your credentials, checking the Remember Me box, by clicking the buttons.
Question: why? Why do you want to check this out? Do you use a home login system? Very discouraged if you are not a first-class security expert. If you don’t use the home system, but instead of Devise , which is tested, do not reinstall the library functionality, just check only your application code, for example, access rights to certain pages covered by # 1. You can also look at those tests that are supplied with Devise, how they check this condition.
Hope this helps.
Refresh . To clarify the request specification for # 2. As mentioned in another @cutalion answer (which is trustworthy for the correct answer), a mechanism to verify that the login can be saved when the session is closed is built into the IntegrationTest ActionDispatch infrastructure using open_session .
See the Rails docs IntegrationTest API for examples. A blog post expanding when using custom DSL.
Wolfram arnold
source share