authorize params passed in create and update action
This commit is contained in:
parent
f41b39406c
commit
baa1dacc21
|
@ -33,7 +33,15 @@ module CanCan
|
|||
end
|
||||
|
||||
def authorize_resource
|
||||
@controller.authorize!(authorization_action, resource_instance) if resource_instance
|
||||
if resource_instance
|
||||
if @params[name] && (authorization_action == :create || authorization_action == :update)
|
||||
@params[name].each do |key, value|
|
||||
@controller.authorize!(authorization_action, resource_instance, key.to_sym)
|
||||
end
|
||||
else
|
||||
@controller.authorize!(authorization_action, resource_instance)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def parent?
|
||||
|
|
|
@ -43,7 +43,7 @@ describe CanCan::ControllerResource do
|
|||
@controller.instance_variable_get(:@project).should == project
|
||||
end
|
||||
|
||||
it "should build a new resource with hash if params[:id] is not specified" do
|
||||
it "should build a new resource with hash if params[:id] is not specified and authorize on each attribute" do
|
||||
@params.merge!(:action => "create", :project => {:name => "foobar"})
|
||||
resource = CanCan::ControllerResource.new(@controller)
|
||||
resource.load_resource
|
||||
|
@ -336,6 +336,22 @@ describe CanCan::ControllerResource do
|
|||
@controller.instance_variable_get(:@project).should == project
|
||||
end
|
||||
|
||||
it "should authorize each new attribute in the create action" do
|
||||
@params.merge!(:action => "create", :project => {:name => "foo"})
|
||||
@controller.instance_variable_set(:@project, :some_project)
|
||||
mock(@controller).authorize!(:create, :some_project, :name)
|
||||
resource = CanCan::ControllerResource.new(@controller)
|
||||
resource.authorize_resource
|
||||
end
|
||||
|
||||
it "should authorize each new attribute in the update action" do
|
||||
@params.merge!(:action => "update", :id => 123, :project => {:name => "foo"})
|
||||
@controller.instance_variable_set(:@project, :some_project)
|
||||
mock(@controller).authorize!(:update, :some_project, :name)
|
||||
resource = CanCan::ControllerResource.new(@controller)
|
||||
resource.authorize_resource
|
||||
end
|
||||
|
||||
# it "should raise ImplementationRemoved when adding :name option" do
|
||||
# lambda {
|
||||
# CanCan::ControllerResource.new(@controller, :name => :foo)
|
||||
|
|
Loading…
Reference in New Issue
Block a user