From 27eba72e4b782b1a05d1f8f12293125b3d56b643 Mon Sep 17 00:00:00 2001 From: Ryan Bates Date: Fri, 25 Mar 2011 16:34:13 -0700 Subject: [PATCH] mark index action as fully authorized when fetching records through accessible_by --- lib/cancan/controller_resource.rb | 1 + spec/cancan/controller_resource_spec.rb | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/cancan/controller_resource.rb b/lib/cancan/controller_resource.rb index 9361da0..3703b6b 100644 --- a/lib/cancan/controller_resource.rb +++ b/lib/cancan/controller_resource.rb @@ -28,6 +28,7 @@ module CanCan self.resource_instance ||= load_resource_instance elsif load_collection? self.collection_instance ||= load_collection + current_ability.fully_authorized! @params[:action], @params[:controller] end end diff --git a/spec/cancan/controller_resource_spec.rb b/spec/cancan/controller_resource_spec.rb index 5c5311c..739c0a0 100644 --- a/spec/cancan/controller_resource_spec.rb +++ b/spec/cancan/controller_resource_spec.rb @@ -66,21 +66,23 @@ describe CanCan::ControllerResource do @controller.instance_variable_get(:@project).name.should == "from params" end - it "should build a collection when on index action when class responds to accessible_by" do + it "should build a collection when on index action when class responds to accessible_by and mark ability as fully authorized" do stub(Project).accessible_by(@ability, :index) { :found_projects } @params[:action] = "index" resource = CanCan::ControllerResource.new(@controller, :project) resource.load_resource @controller.instance_variable_get(:@project).should be_nil @controller.instance_variable_get(:@projects).should == :found_projects + @ability.should be_fully_authorized(:index, :projects) end - it "should not build a collection when on index action when class does not respond to accessible_by" do + it "should not build a collection when on index action when class does not respond to accessible_by and not mark ability as fully authorized" do @params[:action] = "index" resource = CanCan::ControllerResource.new(@controller) resource.load_resource @controller.instance_variable_get(:@project).should be_nil @controller.instance_variable_defined?(:@projects).should be_false + @ability.should_not be_fully_authorized(:index, :projects) end it "should not use accessible_by when defining abilities through a block" do