A shared example for testing blacklists in controller security.

security_helper.rb

class SecurityHelper
  def self.action_names(controller, opts = {})
    actions = controller.class.public_instance_methods(false).reject{|a| a.to_s.starts_with? '_'}
    actions - Array(opts[:except])
  end

  def self.create_insecure_user(opts = {})
    roles = User.available_roles - Array(opts[:allowed_roles]).map(&:to_s)
    FactoryGirl.create :user, roles: roles
  end
end

shared_examples "a secure controller" do |opts = {}|
  let(:actions) { SecurityHelper.action_names(controller, opts) }
  let(:insecure_user) { SecurityHelper.create_insecure_user(opts) }

  context "without authenticated user" do
    it "doesn't allow access without signing in" do
      sign_out :user
      actions.each do |action|
        get action.to_sym, id: ''
        response.should redirect_to new_user_session_url
      end
    end

    it "denies access to non-allowed roles" do
      actions.each do |action|
        sign_in insecure_user
        get action.to_sym, id: ''
        response.should redirect_to '/'
      end
    end
  end
end


#############################
## SUPPORT CONTROLLER HELP
#############################

shared_examples "a secure support controller" do |controller, opts = {}|
  include_examples "a secure controller", {allowed_roles: [:support]}.merge(opts)
end