Authorization requires at least three tests

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the testing category.

Last Updated: 2024-12-03

When dealing with authorization levels (e.g. staff vs. non-staff), you really need to integration test three possibilities: - not logged in, - logged in without authorization - logged in with authorization.

For example, I had a bug in the /law_cases page:

if current_user.staff?
  <%= link_to "Edit", edit_law_case_path(law_case) %>
end

This failed when the current_user was nil. This possibility would have been instantly noticed if I'd iterated through the authorization possibilities. (I also should have thought "what if the receiver is nil?" generally)