如何在 Rails / Capybara / Cucumber 或 Rspec 中测试帖子

发布于 2024-10-19 05:23:09 字数 441 浏览 3 评论 0原文

我正在使用 rspec、cucumber 和 capybara，我正在寻找一种方法来测试恶意用户无法破解表单然后发布到他/她无权访问的 URL。我在 cancan 中设置了权限，这样“应该”可以工作，但是，我可以测试它的唯一方法是自己破解一个表单。

我怎样才能自动化这种测试？使用 webrat，我可以在带有 rspec 的单元测试中执行此操作，例如

put :update, :user_id => @user.id, :id => @user_achievement.id
response.should contain("Error, you don't have permission to access that!")

In capybara，但是，似乎仅访问确实得到了。我找不到办法做到这一点，我已经到处搜索了。

任何帮助将不胜感激，谢谢

原文

I'm using rspec, cucumber and capybara and I'm looking for a way to test that a malicious user can't hack a form then post to an url he/she doesn't have permission to. I have my permissions set up in cancan such that this "should" work, however, the only way I can test it is by hacking a form myself.

How can I automate this sort of testing? With webrat I could do this in a unit test with rspec with something like

put :update, :user_id => @user.id, :id => @user_achievement.id
response.should contain("Error, you don't have permission to access that!")

In capybara, however, visit only does get's it seems. I can't find a way to do this, I've googled everwhere.

Any help would be much appreciated,
Thanks

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

燃情 2024-10-26 05:23:09

我认为你可以通过机架测试来做到这一点
https://github.com/brynary/rack-test

在你的 Gemfile 中：

gem 'rack-test'

在你的环境中。 rb 文件

module CapybaraApp
  def app; Capybara.app; end
end
World(CapybaraApp)
World(Rack::Test::Methods)

步骤定义在某处：

When /^I send a POST request to "([^"]*)"$/ do |path|
  post path
end

我学到的大部分内容都来自这里： http://www.anthonyeden.com/2010/11/testing-rest-apis-with-cucumber-and-rack-test

更新：我认为您可以跳过对您的包含较新版本的 Rails 和/或 Cucumber 的 env.rb 文件（不确定是哪一个，我只是不在我的新项目中执行该部分，并且工作正常）

I think you can do this with rack-test
https://github.com/brynary/rack-test

in your Gemfile:

gem 'rack-test'

in your env.rb file

module CapybaraApp
  def app; Capybara.app; end
end
World(CapybaraApp)
World(Rack::Test::Methods)

step defintions somewhere:

When /^I send a POST request to "([^"]*)"$/ do |path|
  post path
end

Most of what I learned came from here: http://www.anthonyeden.com/2010/11/testing-rest-apis-with-cucumber-and-rack-test

UPDATE: I think you can skip the changes to your env.rb file with newer versions of Rails and/or Cucumber (not sure which, I just don't do that part on my newer projects and it works fine)

回复收藏 0 原文

泅人 2024-10-26 05:23:09

与@Josh Crews相同，我很大程度上基于：http://www.anthonyeden.com/2010/11/testing-rest-apis-with-cucumber-and-rack-test/#comment-159。但有两个值得注意的例外：1) 我测试实际的响应正文，2) 我演示如何测试 POST 请求。以下是使用 Rails 3.0.9 的示例：

步骤：

# features/step_definitions/api_step.feature
When /^I send a GET request to "([^\"]*)"$/ do |url|
  authorize(User.last.email, "cucumber")

  header 'Accept', 'application/json'
  header 'Content-Type', 'application/json'

  get url
end

When /^I send a POST request to "([^\"]*)" with:$/ do |url, body|
  authorize(User.last.email, "cucumber")

  header 'Accept', 'application/json'
  header 'Content-Type', 'application/json'

  post url, body
end

Then /^the JSON response should have (\d+) "([^\"]*)" elements$/ do |number_of_children, name|
  page = JSON.parse(last_response.body)
  page.map { |d| d[name] }.length.should == number_of_children.to_i
end

Then /^I should receive the following JSON response:$/ do |expected_json|
  expected_json = JSON.parse(expected_json)
  response_json = JSON.parse(last_response.body)

  response_json.should == expected_json
end

Then /^I should receive the following JSON object response:$/ do |expected_json|
  expected_json = JSON.parse(expected_json)
  response_json = JSON.parse(last_response.body)

  if expected_json['id'] == 'RESPONSE_ID'
    expected_json['id'] = response_json['id']
  end

  response_json.should == expected_json
end

功能：

# features/api/some_feature.feature
Feature: Users API
  Background:
    Given the following users exist:
      | id | name |
      | 1  | Joe  |
      | 2  | Sue  |
      | 3  | Paul |

  Scenario: Index action
    When I send a GET request to "/users/"
    Then the JSON response should have 3 "user" elements
    And I should receive the following JSON response:
      """
      [
        {
          "id":1,
          "name":"Joe"
        },
        {
          "id":2,
          "name":"Sue"
        },
        {
          "id":3,
          "name":"Paul"
        }
      ]
      """

  Scenario: Create action
    When I send a POST request to "/users/" with:
      """
      {
        "name":"Polly"
      }
      """
    Then I should receive the following JSON object response:
      """
      {
        "id":"RESPONSE_ID",
        "name":"Polly"
      }
      """
    And I send a GET request to "/users/"
    And the JSON response should have 4 "user" elements

Same as @Josh Crews I've largely based this off of: http://www.anthonyeden.com/2010/11/testing-rest-apis-with-cucumber-and-rack-test/#comment-159. But there are two notable exceptions: 1) I test the actual response body, 2) I demonstrate how to test a POST request. Here's an example using Rails 3.0.9:

Steps:

# features/step_definitions/api_step.feature
When /^I send a GET request to "([^\"]*)"$/ do |url|
  authorize(User.last.email, "cucumber")

  header 'Accept', 'application/json'
  header 'Content-Type', 'application/json'

  get url
end

When /^I send a POST request to "([^\"]*)" with:$/ do |url, body|
  authorize(User.last.email, "cucumber")

  header 'Accept', 'application/json'
  header 'Content-Type', 'application/json'

  post url, body
end

Then /^the JSON response should have (\d+) "([^\"]*)" elements$/ do |number_of_children, name|
  page = JSON.parse(last_response.body)
  page.map { |d| d[name] }.length.should == number_of_children.to_i
end

Then /^I should receive the following JSON response:$/ do |expected_json|
  expected_json = JSON.parse(expected_json)
  response_json = JSON.parse(last_response.body)

  response_json.should == expected_json
end

Then /^I should receive the following JSON object response:$/ do |expected_json|
  expected_json = JSON.parse(expected_json)
  response_json = JSON.parse(last_response.body)

  if expected_json['id'] == 'RESPONSE_ID'
    expected_json['id'] = response_json['id']
  end

  response_json.should == expected_json
end

Feature:

# features/api/some_feature.feature
Feature: Users API
  Background:
    Given the following users exist:
      | id | name |
      | 1  | Joe  |
      | 2  | Sue  |
      | 3  | Paul |

  Scenario: Index action
    When I send a GET request to "/users/"
    Then the JSON response should have 3 "user" elements
    And I should receive the following JSON response:
      """
      [
        {
          "id":1,
          "name":"Joe"
        },
        {
          "id":2,
          "name":"Sue"
        },
        {
          "id":3,
          "name":"Paul"
        }
      ]
      """

  Scenario: Create action
    When I send a POST request to "/users/" with:
      """
      {
        "name":"Polly"
      }
      """
    Then I should receive the following JSON object response:
      """
      {
        "id":"RESPONSE_ID",
        "name":"Polly"
      }
      """
    And I send a GET request to "/users/"
    And the JSON response should have 4 "user" elements

回复收藏 0 原文

~没有更多了~