How can I test an expected 404 response on a private resource page out of production?









up vote
0
down vote

favorite












I have an application where users are authors of objects called "Binders". This is a private resource where one user shouldn't be able to view the binder of another user unless it is being shared. I would like my application to 404 whenever a user tries to do such a thing. Here is what I have tried so far.



class BindersController < ApplicationController
before_action :authenticate_user!
before_action :set_user, only: [:show, :edit, :update, :destroy]
before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

# ...

private
def authenticate_access
if current_user != @binder.user
respond_to do |format|
format.html head :missing
format.json head :missing
end
end
end
end


My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.



class BindersControllerTest < ActionDispatch::IntegrationTest
include Warden::Test::Helpers

setup do
@alices_binder = binders(:alices_binder)
@alice = users(:alice)
@eve = users(:eve)
end

teardown do
Warden.test_reset!
end

test 'binders#show should be missing if accessed by wrong user'
login_as @eve, scope: :user
get binder_url(@alices_binder)
assert_response :missing
end
end


How can I properly test this behavior out of production?










share|improve this question























  • change head :missing by head :not_found
    – edudepetris
    Nov 11 at 3:03










  • on a side note, the correct error code that you should be using in those cases is 403 Forbidden
    – Julien
    Nov 11 at 22:30














up vote
0
down vote

favorite












I have an application where users are authors of objects called "Binders". This is a private resource where one user shouldn't be able to view the binder of another user unless it is being shared. I would like my application to 404 whenever a user tries to do such a thing. Here is what I have tried so far.



class BindersController < ApplicationController
before_action :authenticate_user!
before_action :set_user, only: [:show, :edit, :update, :destroy]
before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

# ...

private
def authenticate_access
if current_user != @binder.user
respond_to do |format|
format.html head :missing
format.json head :missing
end
end
end
end


My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.



class BindersControllerTest < ActionDispatch::IntegrationTest
include Warden::Test::Helpers

setup do
@alices_binder = binders(:alices_binder)
@alice = users(:alice)
@eve = users(:eve)
end

teardown do
Warden.test_reset!
end

test 'binders#show should be missing if accessed by wrong user'
login_as @eve, scope: :user
get binder_url(@alices_binder)
assert_response :missing
end
end


How can I properly test this behavior out of production?










share|improve this question























  • change head :missing by head :not_found
    – edudepetris
    Nov 11 at 3:03










  • on a side note, the correct error code that you should be using in those cases is 403 Forbidden
    – Julien
    Nov 11 at 22:30












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have an application where users are authors of objects called "Binders". This is a private resource where one user shouldn't be able to view the binder of another user unless it is being shared. I would like my application to 404 whenever a user tries to do such a thing. Here is what I have tried so far.



class BindersController < ApplicationController
before_action :authenticate_user!
before_action :set_user, only: [:show, :edit, :update, :destroy]
before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

# ...

private
def authenticate_access
if current_user != @binder.user
respond_to do |format|
format.html head :missing
format.json head :missing
end
end
end
end


My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.



class BindersControllerTest < ActionDispatch::IntegrationTest
include Warden::Test::Helpers

setup do
@alices_binder = binders(:alices_binder)
@alice = users(:alice)
@eve = users(:eve)
end

teardown do
Warden.test_reset!
end

test 'binders#show should be missing if accessed by wrong user'
login_as @eve, scope: :user
get binder_url(@alices_binder)
assert_response :missing
end
end


How can I properly test this behavior out of production?










share|improve this question















I have an application where users are authors of objects called "Binders". This is a private resource where one user shouldn't be able to view the binder of another user unless it is being shared. I would like my application to 404 whenever a user tries to do such a thing. Here is what I have tried so far.



class BindersController < ApplicationController
before_action :authenticate_user!
before_action :set_user, only: [:show, :edit, :update, :destroy]
before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

# ...

private
def authenticate_access
if current_user != @binder.user
respond_to do |format|
format.html head :missing
format.json head :missing
end
end
end
end


My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.



class BindersControllerTest < ActionDispatch::IntegrationTest
include Warden::Test::Helpers

setup do
@alices_binder = binders(:alices_binder)
@alice = users(:alice)
@eve = users(:eve)
end

teardown do
Warden.test_reset!
end

test 'binders#show should be missing if accessed by wrong user'
login_as @eve, scope: :user
get binder_url(@alices_binder)
assert_response :missing
end
end


How can I properly test this behavior out of production?







ruby-on-rails






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 at 22:19

























asked Nov 10 at 20:04









Jared

91311021




91311021











  • change head :missing by head :not_found
    – edudepetris
    Nov 11 at 3:03










  • on a side note, the correct error code that you should be using in those cases is 403 Forbidden
    – Julien
    Nov 11 at 22:30
















  • change head :missing by head :not_found
    – edudepetris
    Nov 11 at 3:03










  • on a side note, the correct error code that you should be using in those cases is 403 Forbidden
    – Julien
    Nov 11 at 22:30















change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03




change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03












on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30




on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53242941%2fhow-can-i-test-an-expected-404-response-on-a-private-resource-page-out-of-produc%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53242941%2fhow-can-i-test-an-expected-404-response-on-a-private-resource-page-out-of-produc%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto