only use the :read action when authorizing parent resources
This commit is contained in:
parent
25a1c553bf
commit
156839b73e
|
@ -1,3 +1,5 @@
|
||||||
|
* Parent resources are now authorized with :read action.
|
||||||
|
|
||||||
* Changing :resource option in load/authorize_resource back to :class with ability to pass false
|
* Changing :resource option in load/authorize_resource back to :class with ability to pass false
|
||||||
|
|
||||||
* Removing :nested option in favor of :through option with separate load/authorize call
|
* Removing :nested option in favor of :through option with separate load/authorize call
|
||||||
|
|
|
@ -30,7 +30,7 @@ module CanCan
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_resource
|
def authorize_resource
|
||||||
@controller.authorize!(@params[:action].to_sym, resource_instance || resource_class)
|
@controller.authorize!(authorization_action, resource_instance || resource_class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def parent?
|
def parent?
|
||||||
|
@ -41,14 +41,14 @@ module CanCan
|
||||||
|
|
||||||
def load_resource_instance
|
def load_resource_instance
|
||||||
if !parent? && new_actions.include?(@params[:action].to_sym)
|
if !parent? && new_actions.include?(@params[:action].to_sym)
|
||||||
resource_base.kind_of?(Class) ? resource_base.new(attributes) : resource_base.build(attributes)
|
resource_base.kind_of?(Class) ? resource_base.new(@params[name.to_sym]) : resource_base.build(@params[name.to_sym])
|
||||||
elsif id_param
|
elsif id_param
|
||||||
resource_base.find(id_param)
|
resource_base.find(id_param)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def attributes
|
def authorization_action
|
||||||
@params[name.to_sym]
|
parent? ? :read : @params[:action].to_sym
|
||||||
end
|
end
|
||||||
|
|
||||||
def id_param
|
def id_param
|
||||||
|
|
|
@ -137,6 +137,13 @@ describe CanCan::ControllerResource do
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should only authorize :read action on parent resource" do
|
||||||
|
stub(Person).find(123) { :some_person }
|
||||||
|
stub(@controller).authorize!(:read, :some_person) { raise CanCan::AccessDenied }
|
||||||
|
resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "new", :person_id => 123}, :person)
|
||||||
|
lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||||
|
end
|
||||||
|
|
||||||
it "should load the model using a custom class" do
|
it "should load the model using a custom class" do
|
||||||
stub(Person).find(123) { :some_resource }
|
stub(Person).find(123) { :some_resource }
|
||||||
resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
|
resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
|
||||||
|
@ -148,7 +155,6 @@ describe CanCan::ControllerResource do
|
||||||
stub(@controller).authorize!(:show, :ability) { raise CanCan::AccessDenied }
|
stub(@controller).authorize!(:show, :ability) { raise CanCan::AccessDenied }
|
||||||
resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => false})
|
resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => false})
|
||||||
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise ImplementationRemoved when adding :name option" do
|
it "should raise ImplementationRemoved when adding :name option" do
|
||||||
|
|
Loading…
Reference in New Issue
Block a user