The way we test authentication and user permissions in specs is not ideal:
We set up instance variables @current_user and @current_admin which exist only in tests. If we use them we're not actually testing anything.
We stub controller methods for getting logged in users/admins instead of letting them run.
The user factory creates unconfirmed/unactivated users by default, which means if we were actually logging in as such users with Devise in tests, it wouldn't work.
We are already including Devise helpers in our controller specs, we just need to use them.
How to test: none.