should not allow to can? when raw sql without block is present
This commit is contained in:
parent
1f81b8dd1e
commit
12037d7f43
|
@ -54,7 +54,7 @@ module CanCan
|
||||||
#
|
#
|
||||||
# Also see the RSpec Matchers to aid in testing.
|
# Also see the RSpec Matchers to aid in testing.
|
||||||
def can?(action, subject, *extra_args)
|
def can?(action, subject, *extra_args)
|
||||||
match = relevant_can_definitions(action, subject).detect do |can_definition|
|
match = relevant_can_definitions_for_match(action, subject).detect do |can_definition|
|
||||||
can_definition.matches_conditions?(action, subject, extra_args)
|
can_definition.matches_conditions?(action, subject, extra_args)
|
||||||
end
|
end
|
||||||
match ? match.base_behavior : false
|
match ? match.base_behavior : false
|
||||||
|
@ -225,6 +225,10 @@ module CanCan
|
||||||
relevant_can_definitions(action, subject).any?(&:only_block?)
|
relevant_can_definitions(action, subject).any?(&:only_block?)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def has_raw_sql?(action, subject)
|
||||||
|
relevant_can_definitions(action, subject).any?(&:only_raw_sql?)
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def unauthorized_message_keys(action, subject)
|
def unauthorized_message_keys(action, subject)
|
||||||
|
@ -268,6 +272,14 @@ module CanCan
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def relevant_can_definitions_for_match(action, subject)
|
||||||
|
relevant_can_definitions(action, subject).each do |can_definition|
|
||||||
|
if can_definition.only_raw_sql?
|
||||||
|
raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def relevant_can_definitions_for_query(action, subject)
|
def relevant_can_definitions_for_query(action, subject)
|
||||||
relevant_can_definitions(action, subject).each do |can_definition|
|
relevant_can_definitions(action, subject).each do |can_definition|
|
||||||
if can_definition.only_block?
|
if can_definition.only_block?
|
||||||
|
|
|
@ -56,6 +56,10 @@ module CanCan
|
||||||
conditions_empty? && !@block.nil?
|
conditions_empty? && !@block.nil?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def only_raw_sql?
|
||||||
|
@block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
|
||||||
|
end
|
||||||
|
|
||||||
def conditions_empty?
|
def conditions_empty?
|
||||||
@conditions == {} || @conditions.nil?
|
@conditions == {} || @conditions.nil?
|
||||||
end
|
end
|
||||||
|
|
|
@ -318,6 +318,13 @@ describe CanCan::Ability do
|
||||||
@ability.should have_block(:read, :foo)
|
@ability.should have_block(:read, :foo)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should know when raw sql is used in conditions" do
|
||||||
|
@ability.can :read, :foo
|
||||||
|
@ability.should_not have_raw_sql(:read, :foo)
|
||||||
|
@ability.can :read, :foo, 'false'
|
||||||
|
@ability.should have_raw_sql(:read, :foo)
|
||||||
|
end
|
||||||
|
|
||||||
it "should raise access denied exception with default message if not specified" do
|
it "should raise access denied exception with default message if not specified" do
|
||||||
begin
|
begin
|
||||||
@ability.authorize! :read, :foo
|
@ability.authorize! :read, :foo
|
||||||
|
|
|
@ -56,4 +56,18 @@ describe CanCan::ActiveRecordAdditions do
|
||||||
stub(@model_class).scoped{|*args| args.inspect}
|
stub(@model_class).scoped{|*args| args.inspect}
|
||||||
@model_class.accessible_by(@ability).should == :found_records
|
@model_class.accessible_by(@ability).should == :found_records
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should not allow to fetch records when ability with just block present" do
|
||||||
|
@ability.can :read, @model_class do false end
|
||||||
|
lambda {
|
||||||
|
@model_class.accessible_by(@ability)
|
||||||
|
}.should raise_error(CanCan::Error)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should not allow to check ability on object when nonhash sql ability definition without block present" do
|
||||||
|
@ability.can :read, @model_class, ['bar = ?', 1]
|
||||||
|
lambda {
|
||||||
|
@ability.can? :read, @model_class.new
|
||||||
|
}.should raise_error(CanCan::Error)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user