Zach Dennis wrote: > > > The "Then" step ensures that the user is redirected to an access > denied page. Granted, this doesn't go the granularity you may be > trying to get at, but knowing you aren't actually getting through to > the underlying action (by being redirected to the access denied page) > has worked well for me,
I am already testing for that. What I am trying to accomplish now is to find a malevolently crafted URL that will trigger the users_controller/update action with arbitrary contents in the params hash. Once I have one that "works" then we will code the model/controller to prevent it. I have gotten to the point where I believe that the url has to look somewhat like this: http://www.example.com/users/2/<some_action>?user[administrator=1]&commit=Update&action=update&_method=put&controller=users Where some_action is one of account, edit, update or nothing. I cannot yet determine which is the case. Regardless, I cannot seem to find a way to push this to the controller as a POST, which is apparently what the controller needs, from either a step definition or a browser. -- Posted via http://www.ruby-forum.com/. _______________________________________________ rspec-users mailing list [email protected] http://rubyforge.org/mailman/listinfo/rspec-users
