Solves problem when authorizing new action.
Given two models Category and Projects. A Category has_many projects and Project belongs_to a category. Furthermore, projects are shallow nested resources in a category. Let's say that a user can edit certain category's projects (and only one category can be edited by each user [1]), this is expressed with the following line in Ability model: can :new, :projects, category_id: user.category_id Given the old implementation, we get that any user can 'new' (though not 'create') a project in any category: ```ruby def assign_attributes(resource) resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource initial_attributes.each do |attr_name, value| resource.send("#{attr_name}=", value) end resource end ``` In this case, category_id in project would get overwritten inside the initial_attributes loop and authorization would pass. I consider this a buggy behaviour. [1] User belongs_to a category, and a Category has many users. On the other hand, there might be users without any category. Conflicts: spec/cancan/controller_resource_spec.rb
This commit is contained in:
parent
f1cebde51a
commit
1f7e4c8b6b
|
@ -85,10 +85,11 @@ module CanCan
|
||||||
end
|
end
|
||||||
|
|
||||||
def assign_attributes(resource)
|
def assign_attributes(resource)
|
||||||
resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
|
|
||||||
initial_attributes.each do |attr_name, value|
|
initial_attributes.each do |attr_name, value|
|
||||||
resource.send("#{attr_name}=", value)
|
resource.send("#{attr_name}=", value)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
|
||||||
resource
|
resource
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -284,10 +284,26 @@ describe CanCan::ControllerResource do
|
||||||
CanCan::ControllerResource.new(@controller, :category, :load => true).process
|
CanCan::ControllerResource.new(@controller, :category, :load => true).process
|
||||||
CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category).process
|
CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category).process
|
||||||
project = @controller.instance_variable_get(:@project)
|
project = @controller.instance_variable_get(:@project)
|
||||||
project.new_record?.should eq(true)
|
project.should be_new_record
|
||||||
project.name.should eq('foo')
|
project.name.should eq('foo')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "does not overrides an attribute if it is based on parent resource" do
|
||||||
|
user = double('user')
|
||||||
|
user.should_receive(:category_id).and_return nil
|
||||||
|
@ability = Ability.new user
|
||||||
|
@ability.can :new, :projects, :category_id => user.category_id
|
||||||
|
category = Category.create!
|
||||||
|
@controller.instance_variable_set(:@category, category)
|
||||||
|
|
||||||
|
@params.merge! :action => 'new', :category_id => category.id
|
||||||
|
CanCan::ControllerResource.new(@controller, :category, :load => true).process
|
||||||
|
CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category, :singleton => true).process
|
||||||
|
project = @controller.instance_variable_get(:@project)
|
||||||
|
project.category_id.should_not be_nil
|
||||||
|
project.category.should eq(category)
|
||||||
|
end
|
||||||
|
|
||||||
it "authorizes nested resource through parent association on index action" do
|
it "authorizes nested resource through parent association on index action" do
|
||||||
pending
|
pending
|
||||||
@params.merge!(:action => "index")
|
@params.merge!(:action => "index")
|
||||||
|
|
Loading…
Reference in New Issue
Block a user