I read that controller specs are going out of favor and that the current recommendation is to use feature and request specs. I've found feature specs have been working really well for happy path testing, but I'm having some difficulty with exceptional cases I want to test. For instance I have an index of resources owned by a user. This list includes buttons to destroy each resource. Users only see their own resources. I want to add a test that attempting to destroy one that belongs to someone else fails. The problem is that the list won't include anybody else's items so there isn't an appropriate link to tell capybara to click. In a controller test I could directly issue a DELETE on the resource's path, but as best I can tell that is not an option in feature specs. Am I missing something? Do I need to implement request specs too if I want coverage outside the happy path? I was hoping to reserve request specs for covering my API endpoints.
From my point of view, permission specs should NOT be implemented as feature specs. Your thoughts fully makes sense and the only one thing you can really check there is that you DON'T see any entities, that were made by other users. Your logical difficulties is like +1 point, that such scenarios should be tested via another spec types. Also... feature specs are expensive and I would never do such 'deep' test in features.