Given user A is logged in
When the database is wiped
And user B creates a new account
Then user A may be able to access user B's account
Instead, user A should be redirected to the new account page.
Technical explanation:
Given user A is logged in with a cookies.encrypted[:user_id] of 1
When the users table is truncated
And the Rails secret_key_base is not regenerated
And user B creates an account with a users.id of 1
And user A visits the game page
Then user A will be able to make requests and ActionCable requests as user B because a cookies.encrypted[:user_id] of 1 grants access to the User with id 1.
Given user A is logged in
When the database is wiped
And user B creates a new account
Then user A may be able to access user B's account
Instead, user A should be redirected to the new account page.
Technical explanation:
Given user A is logged in with a
cookies.encrypted[:user_id]of 1When the
userstable is truncatedAnd the Rails
secret_key_baseis not regeneratedAnd user B creates an account with a
users.idof 1And user A visits the game page
Then user A will be able to make requests and ActionCable requests as user B because a
cookies.encrypted[:user_id]of 1 grants access to theUserwith id 1.