require attributes to be checked on create/update action in order to be fully authorized

lib/cancan/ability.rb

@@ -213,14 +213,18 @@ module CanCan
     # See ControllerAdditions#authorize! for documentation.
     def authorize!(action, subject, *args)
       message = nil
-      if args.last.kind_of?(Hash) && args.last.has_key?(:message)
+      if args.last.kind_of?(Hash)
         message = args.pop[:message]
       end
+      attribute = args.first
       if cannot?(action, subject, *args)
         message ||= unauthorized_message(action, subject)
         raise AccessDenied.new(message, action, subject)
       else
-        fully_authorized!(action, subject) unless subject.kind_of?(Symbol) && has_instance_conditions?(action, subject)
+        not_fully_authorized = false
+        not_fully_authorized = true if %w[create update].include?(action.to_s) && attribute.nil? && has_attributes?(action, subject)
+        not_fully_authorized = true if subject.kind_of?(Symbol) && has_instance_conditions?(action, subject)
+        fully_authorized!(action, subject) unless not_fully_authorized
       end
     end
 
@@ -252,14 +256,18 @@ module CanCan
       relevant_rules(action, subject).any?(&:instance_conditions?)
     end
 
+    def has_attributes?(action, subject)
+      relevant_rules(action, subject).any?(&:attributes?)
+    end
+
     def fully_authorized?(action, subject)
       @fully_authorized ||= []
-      @fully_authorized.include? [action, subject]
+      @fully_authorized.include? [action.to_sym, subject.to_sym]
     end
 
     def fully_authorized!(action, subject)
       @fully_authorized ||= []
-      @fully_authorized << [action, subject]
+      @fully_authorized << [action.to_sym, subject.to_sym]
     end
 
     private

lib/cancan/rule.rb

@@ -51,6 +51,10 @@ module CanCan
       @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
     end
 
+    def attributes?
+      @attributes.present?
+    end
+
     def instance_conditions?
       @block || !conditions_empty?
     end

spec/cancan/ability_spec.rb

@@ -235,7 +235,7 @@ describe CanCan::Ability do
   end
 
 
-  # Sufficient Check
+  # Checking if Fully Authorized
 
   it "is not fully authorized when no authorize! call is made" do
     @ability.can :update, :ranges, :begin => 1
@@ -269,11 +269,23 @@ describe CanCan::Ability do
     @ability.should_not be_fully_authorized(:update, :ranges)
   end
 
-  it "is not fully authorized when attributes are required but not checked on in update/destroy actions" do
-    pending
-    @ability.can :update, :users, :name
+  it "is not fully authorized when attributes are required but not checked in update/create actions" do
+    @ability.can :access, :users, :name
     @ability.authorize! :update, :users
     @ability.should_not be_fully_authorized(:update, :users)
+    @ability.authorize! :create, :users
+    @ability.should_not be_fully_authorized(:create, :users)
+    @ability.authorize! :destroy, :users
+    @ability.should be_fully_authorized(:destroy, :users)
+  end
+
+  it "marks as fully authorized when authorizing with strings instead of symbols" do
+    @ability.fully_authorized! "update", "ranges"
+    @ability.should be_fully_authorized(:update, :ranges)
+    @ability.should be_fully_authorized("update", "ranges")
+    @ability.can :update, :users
+    @ability.authorize! "update", "users"
+    @ability.should be_fully_authorized(:update, :users)
   end