authorize params passed in create and update action

This commit is contained in:
Ryan Bates 2011-03-25 17:01:12 -07:00
parent f41b39406c
commit baa1dacc21
2 changed files with 26 additions and 2 deletions

View File

@ -33,7 +33,15 @@ module CanCan
end end
def authorize_resource def authorize_resource
@controller.authorize!(authorization_action, resource_instance) if resource_instance if resource_instance
if @params[name] && (authorization_action == :create || authorization_action == :update)
@params[name].each do |key, value|
@controller.authorize!(authorization_action, resource_instance, key.to_sym)
end
else
@controller.authorize!(authorization_action, resource_instance)
end
end
end end
def parent? def parent?

View File

@ -43,7 +43,7 @@ describe CanCan::ControllerResource do
@controller.instance_variable_get(:@project).should == project @controller.instance_variable_get(:@project).should == project
end end
it "should build a new resource with hash if params[:id] is not specified" do it "should build a new resource with hash if params[:id] is not specified and authorize on each attribute" do
@params.merge!(:action => "create", :project => {:name => "foobar"}) @params.merge!(:action => "create", :project => {:name => "foobar"})
resource = CanCan::ControllerResource.new(@controller) resource = CanCan::ControllerResource.new(@controller)
resource.load_resource resource.load_resource
@ -336,6 +336,22 @@ describe CanCan::ControllerResource do
@controller.instance_variable_get(:@project).should == project @controller.instance_variable_get(:@project).should == project
end end
it "should authorize each new attribute in the create action" do
@params.merge!(:action => "create", :project => {:name => "foo"})
@controller.instance_variable_set(:@project, :some_project)
mock(@controller).authorize!(:create, :some_project, :name)
resource = CanCan::ControllerResource.new(@controller)
resource.authorize_resource
end
it "should authorize each new attribute in the update action" do
@params.merge!(:action => "update", :id => 123, :project => {:name => "foo"})
@controller.instance_variable_set(:@project, :some_project)
mock(@controller).authorize!(:update, :some_project, :name)
resource = CanCan::ControllerResource.new(@controller)
resource.authorize_resource
end
# it "should raise ImplementationRemoved when adding :name option" do # it "should raise ImplementationRemoved when adding :name option" do
# lambda { # lambda {
# CanCan::ControllerResource.new(@controller, :name => :foo) # CanCan::ControllerResource.new(@controller, :name => :foo)