Solves problem when authorizing new action.

Given two models Category and Projects. A Category has_many
projects and Project belongs_to a category. Furthermore,
projects are shallow nested resources in a category.

Let's say that a user can edit certain category's projects
(and only one category can be edited by each user [1]), this is
expressed with the following line in Ability model:

can :new, :projects, category_id: user.category_id

Given the old implementation, we get that any user can 'new'
(though not 'create') a project in any category:

```ruby
def assign_attributes(resource)
  resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
  initial_attributes.each do |attr_name, value|
    resource.send("#{attr_name}=", value)
  end
  resource
end
```

In this case, category_id in project would get overwritten
inside the initial_attributes loop and authorization would pass.
I consider this a buggy behaviour.

[1] User belongs_to a category, and a Category has many
users. On the other hand, there might be users without
any category.

Conflicts:
	spec/cancan/controller_resource_spec.rb
This commit is contained in:
Sergio Arbeo 2012-10-04 19:52:28 +02:00
parent f1cebde51a
commit 1f7e4c8b6b
2 changed files with 19 additions and 2 deletions

View File

@ -85,10 +85,11 @@ module CanCan
end end
def assign_attributes(resource) def assign_attributes(resource)
resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
initial_attributes.each do |attr_name, value| initial_attributes.each do |attr_name, value|
resource.send("#{attr_name}=", value) resource.send("#{attr_name}=", value)
end end
resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
resource resource
end end

View File

@ -284,10 +284,26 @@ describe CanCan::ControllerResource do
CanCan::ControllerResource.new(@controller, :category, :load => true).process CanCan::ControllerResource.new(@controller, :category, :load => true).process
CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category).process CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category).process
project = @controller.instance_variable_get(:@project) project = @controller.instance_variable_get(:@project)
project.new_record?.should eq(true) project.should be_new_record
project.name.should eq('foo') project.name.should eq('foo')
end end
it "does not overrides an attribute if it is based on parent resource" do
user = double('user')
user.should_receive(:category_id).and_return nil
@ability = Ability.new user
@ability.can :new, :projects, :category_id => user.category_id
category = Category.create!
@controller.instance_variable_set(:@category, category)
@params.merge! :action => 'new', :category_id => category.id
CanCan::ControllerResource.new(@controller, :category, :load => true).process
CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category, :singleton => true).process
project = @controller.instance_variable_get(:@project)
project.category_id.should_not be_nil
project.category.should eq(category)
end
it "authorizes nested resource through parent association on index action" do it "authorizes nested resource through parent association on index action" do
pending pending
@params.merge!(:action => "index") @params.merge!(:action => "index")