I have a question about testing coverage. I'm developing a basic CRUD application that has certain access rules. Authenticated users can create/edit forms, and allow other users either edit or view access to a form. What I'm wondering is should I write a feature test for every possible authorisation scenario, i.e:
- A guest can't edit a form
- A user can edit their own form
- A user can't edit another users form
- A user can edit another users form they have 'edit' access to
- A user can't edit another users form they have 'view' access to
These will then need to be written for every feature, such as deleting a form, viewing the form's responses etc.
Do these all need to be included to ensure that authorisation is applied at the right level for every feature? Or should just the basic functionality be feature tested (i.e. a user can edit their form), and then have a unit test to check the authorisation middleware and trust that's enough?
Edit: I know how to add the authorisation I need, I'm just asking whether on not to test it at every level.