Cucumber Ltd / jam

Private projectsfeatures/manage_projects/private_projects.feature

Redirect ends the response, so don't end it

Aslak Helles√ły

Currently viewing

Feature: Private projects

Whether or not a user can interact with a project depends on a number of rules.

Rules

  • Public projects can be seen by anyone
    • Unauthenticated users
    • Authenticated users
  • Private projects can only be accessed by (authenticated) collaborators

At the HTTP level, we translate "permission denied errors" into "404 Not Found" so that people cannot discover private projects through brute- force.

Background:

  • Given the following projects have been created:
    creatorprojectNamevisibility
    Janejanes-private-projectprivate
    Bobbobs-public-projectpublic

Scenario: you can't view a private project if you're not logged in

  • When AnonymousCoward tries to view janes-private-project
  • Then AnonymousCoward should be denied access to the project

Scenario: you can't view a private project if you're not a collaborator

  • When Bob tries to view janes-private-project
  • Then Bob should be denied access to the project