diff --git a/lib/cancan/ability.rb b/lib/cancan/ability.rb index 0d953bc..0730b61 100644 --- a/lib/cancan/ability.rb +++ b/lib/cancan/ability.rb @@ -219,6 +219,8 @@ module CanCan if cannot?(action, subject, *args) message ||= unauthorized_message(action, subject) raise AccessDenied.new(message, action, subject) + else + fully_authorized!(action, subject) unless subject.kind_of?(Symbol) && has_instance_conditions?(action, subject) end end @@ -246,6 +248,20 @@ module CanCan relevant_rules(action, subject).any?(&:only_raw_sql?) end + def has_instance_conditions?(action, subject) + relevant_rules(action, subject).any?(&:instance_conditions?) + end + + def fully_authorized?(action, subject) + @fully_authorized ||= [] + @fully_authorized.include? [action, subject] + end + + def fully_authorized!(action, subject) + @fully_authorized ||= [] + @fully_authorized << [action, subject] + end + private def unauthorized_message_keys(action, subject) diff --git a/lib/cancan/rule.rb b/lib/cancan/rule.rb index 9c22b27..8d32bfb 100644 --- a/lib/cancan/rule.rb +++ b/lib/cancan/rule.rb @@ -51,6 +51,10 @@ module CanCan @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash) end + def instance_conditions? + @block || !conditions_empty? + end + def conditions_empty? @conditions == {} || @conditions.nil? end diff --git a/spec/cancan/ability_spec.rb b/spec/cancan/ability_spec.rb index 35a97fd..423fb60 100644 --- a/spec/cancan/ability_spec.rb +++ b/spec/cancan/ability_spec.rb @@ -235,6 +235,48 @@ describe CanCan::Ability do end + # Sufficient Check + + it "is not fully authorized when no authorize! call is made" do + @ability.can :update, :ranges, :begin => 1 + @ability.can?(:update, :ranges).should be_true + @ability.should_not be_fully_authorized(:update, :ranges) + end + + it "is fully authorized when calling authorize! with a matching action and subject" do + @ability.can :update, :ranges + @ability.authorize! :update, :ranges + @ability.should be_fully_authorized(:update, :ranges) + @ability.should_not be_fully_authorized(:create, :ranges) + end + + it "is fully authorized when marking action and subject as such" do + @ability.fully_authorized! :update, :ranges + @ability.should be_fully_authorized(:update, :ranges) + end + + it "is not fully authorized when a conditions hash exists but no instance is used" do + @ability.can :update, :ranges, :begin => 1 + @ability.authorize! :update, :ranges + @ability.should_not be_fully_authorized(:update, :ranges) + end + + it "is not fully authorized when a block exists but no instance is used" do + @ability.can :update, :ranges do |range| + range.begin == 1 + end + @ability.authorize! :update, :ranges + @ability.should_not be_fully_authorized(:update, :ranges) + end + + it "is not fully authorized when attributes are required but not checked on in update/destroy actions" do + pending + @ability.can :update, :users, :name + @ability.authorize! :update, :users + @ability.should_not be_fully_authorized(:update, :users) + end + + # Cannot it "offers cannot? method which inverts can?" do