refactor vulnerabilities so that users can turn them from failing to passing

spec/vulnerabilities/mass_assignment_spec.rb

@@ -2,37 +2,37 @@
 require "spec_helper"
 
 feature "mass assignment" do
+  let(:normal_user) { UserFixture.normal_user }
+
   before do
     UserFixture.reset_all_users
-    @normal_user = UserFixture.normal_user
+    pending unless verifying_fixed?
   end
 
   scenario "attack one" do
-    expect(@normal_user.admin).to be_falsey
+    expect(normal_user.admin).to be_falsey
+    login(normal_user)
 
-    login(@normal_user)
+    params = { user: { admin: "t",
+                        user_id: normal_user.user_id,
+                        password: normal_user.clear_password,
+                        password_confirmation: normal_user.clear_password }}
 
-    params = { user:  { admin: "t",
-                        id: @normal_user.id,
-                        password: @normal_user.clear_password,
-                        password_confirmation: @normal_user.clear_password}}
-    page.driver.put "/users/#{@normal_user.id}.json", params
+    page.driver.put "/users/#{normal_user.user_id}.json", params
 
-    pending if verifying_fixed?
-    expect(@normal_user.reload.admin).to be_truthy
+    expect(normal_user.reload.admin).to be_falsy
   end
 
   scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
-    params = {user: {admin: "t",
+    params = { user: {  admin: "t",
                         email: "hackety@h4x0rs.c0m",
                         first_name: "hackety",
                         last_name: "hax",
                         password: "foobarewe",
-                        password_confirmation: "foobarewe"}}
+                        password_confirmation: "foobarewe" }}
+
     page.driver.post "/users", params
 
-    pending if verifying_fixed?
-    expect(User.last.email).to eq("hackety@h4x0rs.c0m")
-    expect(User.last.admin).to be_truthy
+    expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil
   end
 end