I just updated a rails app bundle from capybara 2.0.0.beta2 to the current 2.0.1 version. (Just happened to be on the beta still.) I also updated Rspec from 2.11.0 to 2.12.0 to be compatible with some changes to how url helpers are included.
Before this update I had a few tests verifying things like non-admin users not being able to create new users and similar permission/form hacking basics. I also have specs to verify that mass assignment attacks are covered. It was fairy easy and worked well but is now broken for me.
context "non-admin users can" do
before(:each) do
login_as_user
end
it "Not create new users" do
page.driver.post users_path, { :params => {
user_name: "user1",
user_email: "name@example.com",
user_password: "124mgldkg3",
user_role: "user"
} }
page.status_code.should be 302
end
end
It statements that only try to go (visit) somewhere unauthorised work just fine but I can not longer do a manipulated post of a form that this kind of user should not be allowed to post. I now get a 404 for any and all of these requests.
I am not at all sure what has changed in Capybara and/or Rspec. It could certainly be some small details that causes my request to “fall out of context”. What it looks like is that the request is performed without the same session and request context as visit’s and form posts.
I’d like to:
- post using custom parameters and not a form visible to the user.
- still be in the existing session and request context (sub-domain…)
I haven’t found a replacement technique. I started down the Rack::Test path but then I am definitely back at square 1 with out a login or a session…. which to be indicated that there probably is some way to check these common hacking attempts without manually setting up all the session context stuff capybara handles for me.
After digging in Capybaras internals I found that the current working way to perform a custom post request is to do the following:
This is equivalent in behaviour to my original code (above in the question).