[Hobo Users] Testing Hobo Permissions
37 views
Skip to first unread message
Dan
Apr 21, 2010, 10:12:30 AM4/21/10
to Hobo Users
Hi,
I'm writing functional tests for my Hobo controllers. It seems that if
I just post a 'create' request the permissions restrictions are being
ignored. I've set up a basic example in my app to check what was going
on. So I have a class called Widget, which should dissallow all create
requests. See model below:
class Widget < ActiveRecord::Base
hobo_model # Don't put anything above this
fields do
content :text, :required
timestamps
end
def create_permitted?
false
end
....
end
However, if I run this test below, it creates a new record, and hence
passes:
assert_difference('Widget.count') do
post :create, :widget => {:content => 'test data'}
end
If I change the test by adding a get request to the 'new' method, it
fails to create a new record as it should, and fails:
assert_difference('Widget.count') do
get :new
post :create, :widget => {:content => 'test data'}
end
Surely this is wrong? What's to stop a malicious user simply posting
data directly to my app to circumvent the Hobo permissions?
Please let me know what's happening here and if I've maybe understood
the problem?
Thanks
Brent
--
You received this message because you are subscribed to the Google Groups "Hobo Users" group.
To post to this group, send email to hobo...@googlegroups.com.
To unsubscribe from this group, send email to hobousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
I'm writing functional tests for my Hobo controllers. It seems that if
I just post a 'create' request the permissions restrictions are being
ignored. I've set up a basic example in my app to check what was going
on. So I have a class called Widget, which should dissallow all create
requests. See model below:
class Widget < ActiveRecord::Base
hobo_model # Don't put anything above this
fields do
content :text, :required
timestamps
end
def create_permitted?
false
end
....
end
However, if I run this test below, it creates a new record, and hence
passes:
assert_difference('Widget.count') do
post :create, :widget => {:content => 'test data'}
end
If I change the test by adding a get request to the 'new' method, it
fails to create a new record as it should, and fails:
assert_difference('Widget.count') do
get :new
post :create, :widget => {:content => 'test data'}
end
Surely this is wrong? What's to stop a malicious user simply posting
data directly to my app to circumvent the Hobo permissions?
Please let me know what's happening here and if I've maybe understood
the problem?
Thanks
Brent
--
You received this message because you are subscribed to the Google Groups "Hobo Users" group.
To post to this group, send email to hobo...@googlegroups.com.
To unsubscribe from this group, send email to hobousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
Matt Jones
Apr 21, 2010, 11:14:55 AM4/21/10
to hobo...@googlegroups.com
On Apr 21, 2010, at 10:12 AM, Dan wrote:
> Hi,
>
> I'm writing functional tests for my Hobo controllers. It seems that if
> I just post a 'create' request the permissions restrictions are being
> ignored. I've set up a basic example in my app to check what was going
> on. So I have a class called Widget, which should dissallow all create
> requests. See model below:
>
> class Widget < ActiveRecord::Base
> hobo_model # Don't put anything above this
>
> fields do
> content :text, :required
> timestamps
> end
>
> def create_permitted?
> false
> end
> ....
> end
>
> However, if I run this test below, it creates a new record, and hence
> passes:
>
> assert_difference('Widget.count') do
> post :create, :widget => {:content => 'test data'}
> end
current_user stuff correctly? The permission checks get bypassed if
acting_user is nil (can't happen via a live controller action, as not-
logged-in users still have an instance of Hobo::Guest). See around
line 135 of permissions.rb for more details.
--Matt Jones
Bryan Larsen
Apr 21, 2010, 11:27:33 AM4/21/10
to hobo...@googlegroups.com
I've never used functional tests with Hobo, but there are some example
webrat tests in
http://github.com/tablatom/agility/tree/master/test/integration/ and
selenium tests in
http://github.com/tablatom/agility/tree/master/test/selenium/
Since they test the entire stack, permissions work correctly. They'll
also be a lot slower. :(
Bryan
webrat tests in
http://github.com/tablatom/agility/tree/master/test/integration/ and
selenium tests in
http://github.com/tablatom/agility/tree/master/test/selenium/
Since they test the entire stack, permissions work correctly. They'll
also be a lot slower. :(
Bryan
Dan
Apr 21, 2010, 7:22:51 PM4/21/10
to Hobo Users
Hi Matt, yes sorry I left that line out of my new test code, but I
have been setting up a valid user in the session in my real code, so
that's not the problem. The corrected test method is below:
session[:user] = users(:one).typed_id
happening first the session[:user] variable isn't available in the
controller when I make the post, hence there is no valid user and as
you say Matt the permissions checks won't run. So the 'get' sets up
the session.
This behaviour seems odd as surely someone could post directly to my
controller and avoid all the permissions checks as there will be no
valid user in the session. Or is this behaviour only happening because
I'm posting from within a test and it couldn't be recreated by someone
external firing a post request to my live app?
have been setting up a valid user in the session in my real code, so
that's not the problem. The corrected test method is below:
session[:user] = users(:one).typed_id
assert_difference('Widget.count') do
get :new
get :new
post :create, :widget => {:content => 'test data'}
end
I've done some playing around and it seems that without the 'get' call
end
happening first the session[:user] variable isn't available in the
controller when I make the post, hence there is no valid user and as
you say Matt the permissions checks won't run. So the 'get' sets up
the session.
This behaviour seems odd as surely someone could post directly to my
controller and avoid all the permissions checks as there will be no
valid user in the session. Or is this behaviour only happening because
I'm posting from within a test and it couldn't be recreated by someone
external firing a post request to my live app?
Betelgeuse
Apr 22, 2010, 3:52:14 PM4/22/10
to Hobo Users
Testing permissions isn't really the job of functional tests.
Permission testing belongs to unit tests. You will then do testing
directly against the permission query methods.
On Apr 21, 5:12 pm, Dan <bassbo...@googlemail.com> wrote:
> Hi,
>
> I'm writing functional tests for my Hobo controllers. It seems that if
> I just post a 'create' request the permissions restrictions are being
> ignored. I've set up a basic example in my app to check what was going
> on. So I have a class called Widget, which should dissallow all create
> requests. See model below:
>
Permission testing belongs to unit tests. You will then do testing
directly against the permission query methods.
On Apr 21, 5:12 pm, Dan <bassbo...@googlemail.com> wrote:
> Hi,
>
> I'm writing functional tests for my Hobo controllers. It seems that if
> I just post a 'create' request the permissions restrictions are being
> ignored. I've set up a basic example in my app to check what was going
> on. So I have a class called Widget, which should dissallow all create
> requests. See model below:
>
Dan
Apr 23, 2010, 6:21:32 AM4/23/10
to Hobo Users
I thought it would be a more realistic simulation of actual behaviour
to set a particular user in the session then use controller tests
(POSTs and GETs) as that user to test permissions. Betelgeuse, can you
give me an example of unit tests directly against the permission
methods please.
to set a particular user in the session then use controller tests
(POSTs and GETs) as that user to test permissions. Betelgeuse, can you
give me an example of unit tests directly against the permission
methods please.
Betelgeuse
Apr 23, 2010, 5:44:28 PM4/23/10
to Hobo Users
Henry Baragar
Apr 23, 2010, 11:33:59 PM4/23/10
to hobo...@googlegroups.com
Its very powerful being able to test permissions in the unit tests:
def test_create_permissionsHenry
assert @new_league.creatable_by?(users(:an_administrator))
assert @new_league.creatable_by?(users(:a_organizer))
assert ! @new_league.creatable_by?(users(:a_captain))
assert ! @new_league.creatable_by?(users(:a_assistant_captain))
assert ! @new_league.creatable_by?(users(:a_player_1))
assert ! @new_league.creatable_by?(Guest.new)
end
Dan
Apr 26, 2010, 5:52:32 PM4/26/10
to Hobo Users
Cool, I'll use this to test my permissions instead of the controller
tests. Many thanks for your help guys.
On Apr 24, 4:33 am, Henry Baragar <Henry.Bara...@Instantiated.Ca>
wrote:
tests. Many thanks for your help guys.
On Apr 24, 4:33 am, Henry Baragar <Henry.Bara...@Instantiated.Ca>
wrote:
Reply all
Reply to author
Forward
0 new messages