This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the testing category.
Last Updated: 2024-04-18
When dealing with authorization levels (e.g. staff vs. non-staff), you really need to integration test three possibilities: - not logged in, - logged in without authorization - logged in with authorization.
For example, I had a bug in the /law_cases page:
if current_user.staff?
<%= link_to "Edit", edit_law_case_path(law_case) %>
end
This failed when the current_user was nil. This possibility would have been
instantly noticed if I'd iterated through the authorization possibilities. (I also should have
thought "what if the receiver is nil?" generally)