Home/ Questions/Q 8464239
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T14:41:00+00:00

I have a rails application using cancan, and there are several different roles that

  • 0

I have a rails application using cancan, and there are several different roles that I am testing. I’m looking for the most DRY way to setup these tests across several controllers.

This is a shortened version of what I have so far. Is there a better way to do this? It still feels kinda heavy to me.

describe OrganizationsController do
  render_views

  before do
    # User roles
    @unauthenticated = User.new
    @org_admin = Factory.create(:organization_admin)
    @org_staff = Factory.create(:org_staff)
    @customer = Factory.create(:customer)
    @admin = Factory.create(:admin)

    @organization = Factory.create(:organization)
    @org_for_admin = Factory.create(:organization, :user_group_id => @org_admin.user_group_id)
    @org_attr = FactoryGirl.attributes_for(:organization)
  end

  describe "GET 'show'" do
    authorized = %w(org_admin admin org_staff customer)
    not_authorized = %w(unauthenticated)

    not_authorized.each do |u|
      context "an organization by a user with role: #{u}" do
        before do
          user = instance_variable_get("@#{u}")
          get :show, :id => @organization.id, :format => 'json'
        end
        it { should_not respond_with :success }
        it { should respond_with :forbidden }
      end
    end

    authorized.each do |u|
      context "an organization by a user with role: #{u}" do
        before do
          user = instance_variable_get("@#{u}")
          get :show, :id => @organization.id, :format => 'json', :token => user.token
        end
        it { should respond_with :success }
        it { should render_template :show }
        it { should respond_with_content_type(/json/) }
        it { should assign_to(:organization).with_kind_of(Organization) }
      end
    end
  end

  describe "GET 'update'" do
    authorized = [%w(admin organization), %w(org_admin org_for_admin)]
    not_authorized = [%w(unauthenticated organization), %w(org_staff org_for_admin), %w(customer organization), %w(org_admin organization)]
    not_authorized.each do |u, o|
      context "an organization by a user with role: #{u}" do
        before do
          user = instance_variable_get("@#{u}")
          organization = instance_variable_get("@#{o}")
          put :update, :id => organization.id, :organization => @org_attr, :format => 'json'
        end
        it { should_not respond_with :success }
        it { should respond_with :forbidden }
      end
    end

    authorized.each do |u, o|
      context "an organization by a user with role: #{u}" do
        before do
          user = instance_variable_get("@#{u}")
          organization = instance_variable_get("@#{o}")          
          put :update, :id => organization.id, :organization => @org_attr, :format => 'json', :token => user.token
        end
        it { should respond_with :success }
        it { should render_template :update }
        it { should respond_with_content_type(/json/) }
        it { should assign_to(:organization).with_kind_of(Organization) }
      end
    end
  end
end

Or, should I be using the cancan matchers and move these types of ability tests into the model specs and just have a successful and a forbidden test for each controller action? Any other comments on my tests in terms of anti-patterns/stylistic suggestions are also welcome.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The wiki describes the “pain point” you’re feeling:

    It can be difficult to thoroughly test user permissions at the
    functional/integration level because there are often many branching
    possibilities.

    .. if you want to test the controller behavior
    independently from what is inside the Ability class, it is easy to
    stub out the ability with any behavior you want.

    def setup
  @ability = Object.new
  @ability.extend(CanCan::Ability)
  @controller.stubs(:current_ability).returns(@ability)
end

test "render index if have read ability on project" do
  @ability.can :read, Project
  get :index
  assert_template :index
end

    Good question. I’ve often wondered this myself. Next time, I’m going to try the wiki’s suggestion.

    • 0