Pat Maddox wrote:
> I assume you don't though, cause that'd be kinda weird. How about
> passing it in the POST params:
>
> put users_url(user), :user => {:administrator => true}
>
> Something along those lines...
That is the problem, I am not sure what syntax to use int the step
definition. I tried this:
visits "#{edit_user_path}?user[administrator]=1"
Which produces the same type of url that the RoR security guide uses in
its examples:
http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
Whereas I generate
HTTP headers
{"HTTP_REFERER"=>"http://www.example.com/account/edit?user[administrator]=1"}
But this URL attack does not seem to work as advertised. The key
"administrator" does not make it into the params hash:
200 OK [http://www.example.com/account/edit?user[administrator]=1]
REQUESTING PAGE: POST /account with {
"user"=>{
"name_middle"=>"Middle-myuser",
"password_confirmation"=>"",
"username"=>"myuser",
"password"=>"",
"email"=>"[email protected]",
"name_first"=>"First-myuser",
"name_last"=>"Last-myuser"},
"commit"=>"Update",
"_method"=>"put"}
I realize this is a silly thing to ask, but how do you do this for
testing?
--
Posted via http://www.ruby-forum.com/.
_______________________________________________
rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users
