From baa1dacc21a837d311ceab494db45ad990067355 Mon Sep 17 00:00:00 2001 From: Ryan Bates Date: Fri, 25 Mar 2011 17:01:12 -0700 Subject: [PATCH] authorize params passed in create and update action --- lib/cancan/controller_resource.rb | 10 +++++++++- spec/cancan/controller_resource_spec.rb | 18 +++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/lib/cancan/controller_resource.rb b/lib/cancan/controller_resource.rb index 1f89141..3e63af0 100644 --- a/lib/cancan/controller_resource.rb +++ b/lib/cancan/controller_resource.rb @@ -33,7 +33,15 @@ module CanCan end def authorize_resource - @controller.authorize!(authorization_action, resource_instance) if resource_instance + if resource_instance + if @params[name] && (authorization_action == :create || authorization_action == :update) + @params[name].each do |key, value| + @controller.authorize!(authorization_action, resource_instance, key.to_sym) + end + else + @controller.authorize!(authorization_action, resource_instance) + end + end end def parent? diff --git a/spec/cancan/controller_resource_spec.rb b/spec/cancan/controller_resource_spec.rb index 2e4ce29..5c6bbca 100644 --- a/spec/cancan/controller_resource_spec.rb +++ b/spec/cancan/controller_resource_spec.rb @@ -43,7 +43,7 @@ describe CanCan::ControllerResource do @controller.instance_variable_get(:@project).should == project end - it "should build a new resource with hash if params[:id] is not specified" do + it "should build a new resource with hash if params[:id] is not specified and authorize on each attribute" do @params.merge!(:action => "create", :project => {:name => "foobar"}) resource = CanCan::ControllerResource.new(@controller) resource.load_resource @@ -336,6 +336,22 @@ describe CanCan::ControllerResource do @controller.instance_variable_get(:@project).should == project end + it "should authorize each new attribute in the create action" do + @params.merge!(:action => "create", :project => {:name => "foo"}) + @controller.instance_variable_set(:@project, :some_project) + mock(@controller).authorize!(:create, :some_project, :name) + resource = CanCan::ControllerResource.new(@controller) + resource.authorize_resource + end + + it "should authorize each new attribute in the update action" do + @params.merge!(:action => "update", :id => 123, :project => {:name => "foo"}) + @controller.instance_variable_set(:@project, :some_project) + mock(@controller).authorize!(:update, :some_project, :name) + resource = CanCan::ControllerResource.new(@controller) + resource.authorize_resource + end + # it "should raise ImplementationRemoved when adding :name option" do # lambda { # CanCan::ControllerResource.new(@controller, :name => :foo)