Restricting Access
Having required a login for your application, you’ve solved part of the potential security problem. The next problem involves limiting a user’s access to projects the user is associated with.
Let’s start with an integration test. The test needs as its given a project and at least two users—one who has access and one who does not. The when action is an attempt to view the project show page, and the then specification is the successful or unsuccessful page view. There are a couple of other security aspects you might test, such as whether the index list of projects is filtered by what projects the user is part of, whether a user can edit or create a project, and so on. But this set of tests will give the basic idea:
Get Rails 5 Test Prescriptions now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
