Do tests that asserts a user can't do an action have any value?

Question

Given a system with static permissions (1 permission for every action that can be made: create a resource, update a resource, etc), and dynamic roles (can be created and assign permissions to it dynamically).

The system have a preconfigured set of roles with the purpose of initial setup and/or testing. These can be deleted or modified after the initial setup, hence "dynamic".

When acting as a user with one of these preconfigured roles on a [functional/acceptance] test to assert a use case works properly, do tests that assert a user with a role that does not have the permission to execute that use case have any value?

If you had such a test and you noticed that one day it started *failing*, what would you do? — FrustratedWithFormsDesigner, Jan 06 '17 at 15:43
Possible duplicate of [What should you test with unit tests?](http://softwareengineering.stackexchange.com/questions/750/what-should-you-test-with-unit-tests) — gnat, Jan 06 '17 at 16:09
@gnat I fail to see how this question is answered in that one — Christopher Francisco, Jan 06 '17 at 16:14

ratchet freak · Accepted Answer · 2017-01-07T22:27:13.100

Yes. It tests that the roles are taken into account when checking for permission.

It also tests that the permission for the role are setup correctly.

Note that these are unit-testing the permission system, not whatever the operation with the permission is. So the tests will be creating a role and changing the permissions and testing a (mocked) operation to see if the permission is actually taken into account.

Having said that, a duo of tests (one with the permission and one without the permission) for each operation to make sure the permission is wired correctly for that operation is also of value.

score 2 · Answer 2 · answered Jan 07 '17 at 14:10

I'm a user of my company's payroll system. I can see my salary payment, but I cannot edit it. Do you think a test that makes sure I cannot edit my salary is useful? Knowing that the test fails would be very valuable to the company (and probably lead to a bit of panic).

score 1 · Answer 3 · answered Jan 06 '17 at 15:50

I don't know that this question has a hard yes/no answer. But here goes.

Are you testing the system or just your code implementation? If you want to test the whole system, then this sounds like a valid and valuable integration test. If you are only testing your new code then you will want to create unit tests that only test your new logic. See next steps...
It sounds like your system already has static permissions that prevent users from doing certain tasks. If that is the role of the system and not your application, I would not include that as a unit test.
Does your application include logic to check permissions before executing code? If your code contains logic to check permissions, and your code is responsible for blocking those actions, then yes, that test has value and I would include it.

Sound like in these 3 cases, you would add them as integration/acceptance tests then — Christopher Francisco, Jan 06 '17 at 15:51

Do tests that asserts a user can't do an action have any value?

3 Answers3