Cucumber feature writing feedback - testing

So I'm trying to develop a website using Ruby on Rails and I'm new to the concept of BDD. I've worked through both the Ruby on Rails Tutorial and the RSpec book and starting to strike out on my own, but was hoping to get some feedback on an initial feature.
Feature: User Signup
As a user (anyone who may use the system, to include persons outside the unit)
I want to sign up
So that I can access the website
Scenario: sign up
Given I have not yet signed up
When I go the signup page
Then I should be redirected to the signup page
Am I on the right track here..?

Yes, I think it makes sense to have some reference to "I click the signup link" if that's how users will be accessing the form. Another question this scenario raises relates to the overall user journey - where will the user be in order to click that link?
To me, this scenario should document that aspect as well.
I'd also recommend keeping non-relevant technical terminology out of scenarios. A scenario should cover the most important aspects of a business rule or user journey from the perspective of the user to whom the user story concerns. Therefore from a user's perspective the term 'redirect' won't mean much and it's not important to them if the page was redirected or if they just followed a plain link.
You may wish consider something along this lines of :
Scenario: sign up
Given I have not yet signed up
And I am on the homepage
When I click the signup link
Then I should be on the signup page

Related

How can multiple pages be model with xstate

I am trying to build a real world application with xstate but I am having trouble with modeling the application startup.
a user can enter the application start by typing the www.ex.com to go the home page
but a user can also enter the application www.ex.com/any-page
can someone give an example of modeling application with multiple pages
a user can be unauthenticated an be on the login page or home page but not secure page
or
a user can be authenticated and be on any page
I want each page to have there own state that is what is prompting the question.
I want each page to have there own state that is what is prompting the question.
Don't think of it that way; at least not at first. Use a data-first approach, such as in this example: https://codesandbox.io/s/xstate-react-back-example-4q2vh
The reason is that each page isn't necessarily a "finite state" - it's just data, and all part of the same state (e.g., "viewing a page"). The best way to think about finite state is as an application's behavior at any given time. Does the behavior change when changing pages? Probably not, so use context instead of finite state.

REST Api an invitation to hackers for injection?

I am new to REST APIs, I am actually not looking for any workarounds, I just need to clear my concept because I know I am missing some very important information which can easily solve my problem.
For E.g I made a small website, let's say using angular.js, where I will list some information or some items.
Consider it as an open website for now, everyone is getting same list. Anyone can come to the page and see the list of items. Simple.
Lets say the URL to this list is
https://www.example.com/api/list/v1
Result returned
1. abc
2. cde
3. efg
4. hij
Perfect!
Now my site got traffic, and I decided to implement user thing on my website, so that every user can only see his own information.
So I changed the rest api url to this:
https://www.example.com/api/list/v1/12345
where 12345 is userid.
The user with the user id came on the website, logged in, and browsed the list, by chance he went to the source of the page, and he found the url to list information.
He copied the url and started to use different user id's, he might get lucky any time.
I am not talking about implementing any type of security up til now, there must be several ways to secure it.
My main concern is that isn't it a large security hole, or we can call it an invitation, for injections?
So I just want to clear my understanding, where I am wrong?
Thanks
This is not some security loophole. This is the way it is supposed to work.
Let's put aside the case of APIs. Consider the simple example::
I have a url: www.example.com/jobs/
This will list all the jobs on my website. No authentication or permission of any sort is required to access this data. I am providing it to every user that visits my website. Now I need a way to figure out if the user visiting my website wants to filter the jobs available on my website. So I provide this option in url kwargs. This will look something like::
www.example.com/jobs/java/
So, now the list will contain the data only for Java jobs. Plain and simple.
Now some day I decide that I will let only the registered users to view Java Jobs. So, I introduce a new check in my View that lets you access the java jobs only if you are logged into my website. Otherwise it redirects you to the login page. Depending on the requirement, you put restrictions on the data being sent to the user.
Same is the case with APIs. If you allow the data to be available to any user that uses the API, there is a flaw with your design and not with the concept of APIs. APIs are just the implementation of your logic.
If you don't want a user with id 12345 to access the data of a user with id 123, you have got to restrict the permissions on the API code. You have got to handle themselves. The API will respond to your code.
Hope this clears out everything.

Using the Login Button plugin to get fb userid BEFORE user Authenticates

So when you put the login button plugin on an app it seems to display the user's friends that are using said app. It displays this even to users that have NOT allowed the app access yet. For example, if you go to "Henry's Cooking App" but have never Logged into the app thru facebook, it will still show you your friends that are using the app.
What I'm trying to do is use this feature to grab an array of fb-userids from the plugin so I can do a query on my DB to show the POTENTIAL user a little more info. For example let's say you have 2 friends that already use "Henry's Cooking App": Joe and Karen. If I could get their userid I could then show you something like "Joe just cooked Veal Scallopini, and Karen is perfecting her Tonkatsu Curry".
I know you could do this easily IF you had the authentication token, but that is only obtained after the user logs in. I'm trying to leverage the fact that fb seems to think it's OK to show your friends that are using the app BEFORE you sign up for the app.
The only super hacky way I could think of to do it is the fact that I could pull the href attribute of elements matching $(".uiFacePileItem a") which gives a link to the user profile which I could then grab the username or UID from. This seems like it could break easily though, anyone have a better idea? Thanks!
The only super hacky way I could think of to do it is the fact that I could pull the href attribute of elements matching $(".uiFacePileItem a") which gives a link to the user profile which I could then grab the username or UID from.
You can’t do that, because the Facebook login dialogs are not running under your domain – so the Same Origin Policy prevents you from interacting with the DOM of these dialogs.
I'm trying to leverage the fact that fb seems to think it's OK to show your friends that are using the app BEFORE you sign up for the app.
Well, it’s certainly (more) OK if Facebook does that – because that doesn’t give any information away to third parties (meaning you as the app developer/provider) – only the user sees that.
It would not be OK if Facebook would let you access this info, at a point where I haven’t even decided to use your app yet – totally a case of „none of your business”.
After I decide to use your app, you may have access to certain information. Before that – No Way, José.

twitter share url forgeting the tweet content after login

I'm trying to add a "share via twitter" link to our website. I'm aware of the standard http://twitter.com/home?status=TWEET method, and it works good enough for my purposes when the user is logged in to twitter already.
If, however, the user is not logged in, twitter displays the login form first (which is only reasonable). After the login, the home screen is displayed without the tweet content.
Am I missing something obvious, or is this a know flaw in this method? If so, what is the easiest way (apart from using services like TweetMeme, which I noticed asks for login in advance) to make the share button work as expected?
If the user is not signed in when accessing http://twitter.com/home?status=TWEET it seems that the status is indeed forgotten. This would be a Twitter website issue and not something you're doing wrong.
Update: Use this URL instead: http://twitter.com/intent/tweet?text=TWEET
TweetMeme, on the other hand, uses its own Twitter "application" via the OAuth authentication, requiring users to log in before retweeting using TweetMeme, and is smart enough to include the tweet message in the OAuth callback URL so that it's not forgotten.
So really, you can:
Use TweetMeme, where the user would have to log in, but at least have the tweet be remembered once that's done;
Create your own Twitter application that uses the same tweeting functionality as TweetMeme; or
Use Twitter.com's less-than-desirable status updater and hope the user is logged in, or hope that they're smart enough to click the back button a couple times and click on your link again if needed.
Just use the following url and parameters
http://twitter.com/share?text=YOUR-TEXT&url=YOUR-URL
Then it works.

should we use a captcha for Sign Up?

I know it's not really a programming question but I don't know where to ask it.
Should i use a captcha in my sign up form ?
Facebook, twitter, foursquare, gowalla etc... don't use one (or not a visible one). Is there an invisible catpcha on theses sites ?
Thank you
UPDATE :
I have found a nice article about it : http://www.smashingmagazine.com/2008/07/08/web-form-design-patterns-sign-up-forms-part-2/
Thanks for your answers
I don't use a captcha for SingingEels, but I do require a valid email address. Users have to confirm their email address by clicking a link sent with a GUID upon creating a new account.
That validates a real human, and also prevents quick sign-ups for spam comments.
There is no need to use captcha code in SignUp page. But as far as security reason is concerned, you need to captcha code where you have any form. Because some one puts a robot for signup in your page at that you have to face a problem with your website. So for this purpose you need to add captcha not only in Signup page but every form you are using in your website.
CAPTCHA helps prevent automated abuse of your site (such as comment spam or bogus registrations)
it is advisable to use additional authenication methods, captcha, email authentication are most advisable.
It is not advisable to use any captcha at all..
Also see;
http://www.interfacegeek.com/dont-ever-use-captchas/