refactor vulnerabilities so that users can turn them from failing to passing

spec/vulnerabilities/url_access_spec.rb

@@ -2,16 +2,19 @@
 require "spec_helper"
 
 feature "url access" do
+  let(:normal_user) { UserFixture.normal_user }
+
   before do
     UserFixture.reset_all_users
-    @normal_user = UserFixture.normal_user
+
+    pending unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)", js: true do
-    login @normal_user
+    login(normal_user)
 
     visit "/admin/1/dashboard"
-    pending if verifying_fixed?
-    expect(current_path).to eq("/admin/1/dashboard")
+
+    expect(current_path).to eq("/")
   end
 end