How can I test an expected 404 response on a private resource page out of production?

up vote
0
down vote

favorite

I have an application where users are authors of objects called "Binders". This is a private resource where one user shouldn't be able to view the binder of another user unless it is being shared. I would like my application to 404 whenever a user tries to do such a thing. Here is what I have tried so far.

class BindersController < ApplicationController
 before_action :authenticate_user!
 before_action :set_user, only: [:show, :edit, :update, :destroy]
 before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

 # ...

 private
 def authenticate_access
 if current_user != @binder.user
 respond_to do |format|
 format.html head :missing 
 format.json head :missing 
 end
 end
 end
end

My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.

class BindersControllerTest < ActionDispatch::IntegrationTest
 include Warden::Test::Helpers

 setup do
 @alices_binder = binders(:alices_binder)
 @alice = users(:alice)
 @eve = users(:eve)
 end

 teardown do
 Warden.test_reset!
 end

 test 'binders#show should be missing if accessed by wrong user'
 login_as @eve, scope: :user
 get binder_url(@alices_binder)
 assert_response :missing
 end
end

How can I properly test this behavior out of production?

edited Nov 10 at 22:19

asked Nov 10 at 20:04

Jared

91311021

change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03

on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30

add a comment |

up vote
0
down vote

favorite

class BindersController < ApplicationController
 before_action :authenticate_user!
 before_action :set_user, only: [:show, :edit, :update, :destroy]
 before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

 # ...

 private
 def authenticate_access
 if current_user != @binder.user
 respond_to do |format|
 format.html head :missing 
 format.json head :missing 
 end
 end
 end
end

My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.

class BindersControllerTest < ActionDispatch::IntegrationTest
 include Warden::Test::Helpers

 setup do
 @alices_binder = binders(:alices_binder)
 @alice = users(:alice)
 @eve = users(:eve)
 end

 teardown do
 Warden.test_reset!
 end

 test 'binders#show should be missing if accessed by wrong user'
 login_as @eve, scope: :user
 get binder_url(@alices_binder)
 assert_response :missing
 end
end

How can I properly test this behavior out of production?

edited Nov 10 at 22:19

asked Nov 10 at 20:04

Jared

91311021

change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03

on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30

add a comment |

up vote
0
down vote

favorite

class BindersController < ApplicationController
 before_action :authenticate_user!
 before_action :set_user, only: [:show, :edit, :update, :destroy]
 before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

 # ...

 private
 def authenticate_access
 if current_user != @binder.user
 respond_to do |format|
 format.html head :missing 
 format.json head :missing 
 end
 end
 end
end

My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.

class BindersControllerTest < ActionDispatch::IntegrationTest
 include Warden::Test::Helpers

 setup do
 @alices_binder = binders(:alices_binder)
 @alice = users(:alice)
 @eve = users(:eve)
 end

 teardown do
 Warden.test_reset!
 end

 test 'binders#show should be missing if accessed by wrong user'
 login_as @eve, scope: :user
 get binder_url(@alices_binder)
 assert_response :missing
 end
end

How can I properly test this behavior out of production?

edited Nov 10 at 22:19

asked Nov 10 at 20:04

Jared

91311021

class BindersController < ApplicationController
 before_action :authenticate_user!
 before_action :set_user, only: [:show, :edit, :update, :destroy]
 before_action :authenticate_access, only: [:show, :edit, :update, :destroy]

 # ...

 private
 def authenticate_access
 if current_user != @binder.user
 respond_to do |format|
 format.html head :missing 
 format.json head :missing 
 end
 end
 end
end

My problem is that Rails prefers to 500 in development and test. This makes this impossible to check with a test like the following.

class BindersControllerTest < ActionDispatch::IntegrationTest
 include Warden::Test::Helpers

 setup do
 @alices_binder = binders(:alices_binder)
 @alice = users(:alice)
 @eve = users(:eve)
 end

 teardown do
 Warden.test_reset!
 end

 test 'binders#show should be missing if accessed by wrong user'
 login_as @eve, scope: :user
 get binder_url(@alices_binder)
 assert_response :missing
 end
end

How can I properly test this behavior out of production?

ruby-on-rails

edited Nov 10 at 22:19

asked Nov 10 at 20:04

Jared

91311021

edited Nov 10 at 22:19

asked Nov 10 at 20:04

Jared

91311021

edited Nov 10 at 22:19

asked Nov 10 at 20:04

Jared

91311021

asked Nov 10 at 20:04

Jared

91311021

asked Nov 10 at 20:04

Jared

91311021

change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03

on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30

add a comment |

change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03

on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30

change head :missing by head :not_found
– edudepetris
Nov 11 at 3:03

on a side note, the correct error code that you should be using in those cases is 403 Forbidden
– Julien
Nov 11 at 22:30

add a comment |

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53242941%2fhow-can-i-test-an-expected-404-response-on-a-private-resource-page-out-of-produc%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

active

oldest

votes

draft saved

draft discarded

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Odtnhj