Merge pull request #754 from Serabe/new_authorization_bug

Solves problem when authorizing new action.

lib/cancan/controller_resource.rb

@@ -85,10 +85,11 @@ module CanCan
     end
 
     def assign_attributes(resource)
-      resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
       initial_attributes.each do |attr_name, value|
         resource.send("#{attr_name}=", value)
       end
+
+      resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
       resource
     end
 

spec/cancan/controller_resource_spec.rb

@@ -284,10 +284,26 @@ describe CanCan::ControllerResource do
     CanCan::ControllerResource.new(@controller, :category, :load => true).process
     CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category).process
     project = @controller.instance_variable_get(:@project)
-    project.new_record?.should eq(true)
+    project.should be_new_record
     project.name.should eq('foo')
   end
 
+  it "does not overrides an attribute if it is based on parent resource" do
+    user = double('user')
+    user.should_receive(:category_id).and_return nil
+    @ability = Ability.new user
+    @ability.can :new, :projects, :category_id => user.category_id
+    category = Category.create!
+    @controller.instance_variable_set(:@category, category)
+
+    @params.merge! :action => 'new', :category_id => category.id
+    CanCan::ControllerResource.new(@controller, :category, :load => true).process
+    CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category, :singleton => true).process
+    project = @controller.instance_variable_get(:@project)
+    project.category_id.should_not be_nil
+    project.category.should eq(category)
+  end
+
   it "authorizes nested resource through parent association on index action" do
     pending
     @params.merge!(:action => "index")