require attributes to be checked on create/update action in order to be fully authorized
This commit is contained in:
parent
0f3753491d
commit
488cc2dfdd
|
@ -213,14 +213,18 @@ module CanCan
|
||||||
# See ControllerAdditions#authorize! for documentation.
|
# See ControllerAdditions#authorize! for documentation.
|
||||||
def authorize!(action, subject, *args)
|
def authorize!(action, subject, *args)
|
||||||
message = nil
|
message = nil
|
||||||
if args.last.kind_of?(Hash) && args.last.has_key?(:message)
|
if args.last.kind_of?(Hash)
|
||||||
message = args.pop[:message]
|
message = args.pop[:message]
|
||||||
end
|
end
|
||||||
|
attribute = args.first
|
||||||
if cannot?(action, subject, *args)
|
if cannot?(action, subject, *args)
|
||||||
message ||= unauthorized_message(action, subject)
|
message ||= unauthorized_message(action, subject)
|
||||||
raise AccessDenied.new(message, action, subject)
|
raise AccessDenied.new(message, action, subject)
|
||||||
else
|
else
|
||||||
fully_authorized!(action, subject) unless subject.kind_of?(Symbol) && has_instance_conditions?(action, subject)
|
not_fully_authorized = false
|
||||||
|
not_fully_authorized = true if %w[create update].include?(action.to_s) && attribute.nil? && has_attributes?(action, subject)
|
||||||
|
not_fully_authorized = true if subject.kind_of?(Symbol) && has_instance_conditions?(action, subject)
|
||||||
|
fully_authorized!(action, subject) unless not_fully_authorized
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -252,14 +256,18 @@ module CanCan
|
||||||
relevant_rules(action, subject).any?(&:instance_conditions?)
|
relevant_rules(action, subject).any?(&:instance_conditions?)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def has_attributes?(action, subject)
|
||||||
|
relevant_rules(action, subject).any?(&:attributes?)
|
||||||
|
end
|
||||||
|
|
||||||
def fully_authorized?(action, subject)
|
def fully_authorized?(action, subject)
|
||||||
@fully_authorized ||= []
|
@fully_authorized ||= []
|
||||||
@fully_authorized.include? [action, subject]
|
@fully_authorized.include? [action.to_sym, subject.to_sym]
|
||||||
end
|
end
|
||||||
|
|
||||||
def fully_authorized!(action, subject)
|
def fully_authorized!(action, subject)
|
||||||
@fully_authorized ||= []
|
@fully_authorized ||= []
|
||||||
@fully_authorized << [action, subject]
|
@fully_authorized << [action.to_sym, subject.to_sym]
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
|
@ -51,6 +51,10 @@ module CanCan
|
||||||
@block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
|
@block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def attributes?
|
||||||
|
@attributes.present?
|
||||||
|
end
|
||||||
|
|
||||||
def instance_conditions?
|
def instance_conditions?
|
||||||
@block || !conditions_empty?
|
@block || !conditions_empty?
|
||||||
end
|
end
|
||||||
|
|
|
@ -235,7 +235,7 @@ describe CanCan::Ability do
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# Sufficient Check
|
# Checking if Fully Authorized
|
||||||
|
|
||||||
it "is not fully authorized when no authorize! call is made" do
|
it "is not fully authorized when no authorize! call is made" do
|
||||||
@ability.can :update, :ranges, :begin => 1
|
@ability.can :update, :ranges, :begin => 1
|
||||||
|
@ -269,11 +269,23 @@ describe CanCan::Ability do
|
||||||
@ability.should_not be_fully_authorized(:update, :ranges)
|
@ability.should_not be_fully_authorized(:update, :ranges)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "is not fully authorized when attributes are required but not checked on in update/destroy actions" do
|
it "is not fully authorized when attributes are required but not checked in update/create actions" do
|
||||||
pending
|
@ability.can :access, :users, :name
|
||||||
@ability.can :update, :users, :name
|
|
||||||
@ability.authorize! :update, :users
|
@ability.authorize! :update, :users
|
||||||
@ability.should_not be_fully_authorized(:update, :users)
|
@ability.should_not be_fully_authorized(:update, :users)
|
||||||
|
@ability.authorize! :create, :users
|
||||||
|
@ability.should_not be_fully_authorized(:create, :users)
|
||||||
|
@ability.authorize! :destroy, :users
|
||||||
|
@ability.should be_fully_authorized(:destroy, :users)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "marks as fully authorized when authorizing with strings instead of symbols" do
|
||||||
|
@ability.fully_authorized! "update", "ranges"
|
||||||
|
@ability.should be_fully_authorized(:update, :ranges)
|
||||||
|
@ability.should be_fully_authorized("update", "ranges")
|
||||||
|
@ability.can :update, :users
|
||||||
|
@ability.authorize! "update", "users"
|
||||||
|
@ability.should be_fully_authorized(:update, :users)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user