Testing access control with cucumber & capybara

Question

I'm using rails_admin and devise in my rails 3 application and writing tests for access control in cucumber.

I want to test that someone not admin cannot access all the routes of rails_admin (for example)

If I explicitly test like so:

  Scenario: An authenticated user cannot access site administration
    Given I am an authenticated user "kate", "kate@example.com"
    When I visit the administration page
    Then I should see access denied

I can match the string "the administration page" to the route "rails_admin_dashboard_path" and make my test pass just fine. But this seems to be testing the application the wrong way around. I want to test ALL the routes (loop through them somehow) rather than imply them and maybe miss one or two.

Something like this:

  Scenario: An authenticated user cannot access site administration
    Given I am an authenticated user "kate", "kate@example.com"
    When I visit ANY administration page
    Then I should see access denied

Could anyone advise me on how to effectively test this? Am I taking the right approach? Should I be doing this in rspec instead?

As you might be able to tell, I am a bit of a n00b.

Answer 1

I don't think you should be aiming to test every possible route in your Cucumber scenarios. As Andrea S. suggests, if all your admin controllers have a common base, then it should be sufficient to check the admin home page.

Answer 2

One approach would be to create a base controller in your admin namespace that all other admin/controllers inherit from. You can put a before filter in that base controller to check for admin authentication. Like so:

#app/controllers/admin/base.rb

class Admin::Base < ApplicationController
  before_filter :ensure_admin_logged_in
end

And have all your other controllers in the admin namespace inherit from this one:

#app/controllers/admin/Pages.rb
class Admin::PagesController < Admin::Base
  layout "admin"
end