don't authorize uncountable instance in collection action - closes #193
This commit is contained in:
parent
15ca8ade3b
commit
bc9ecb226d
@ -26,7 +26,7 @@ module CanCan
|
||||
end
|
||||
|
||||
def load_resource
|
||||
if parent? || member_action?
|
||||
if load_instance?
|
||||
self.resource_instance ||= load_resource_instance
|
||||
elsif load_collection?
|
||||
self.collection_instance ||= load_collection
|
||||
@ -51,9 +51,12 @@ module CanCan
|
||||
end
|
||||
end
|
||||
|
||||
def load_instance?
|
||||
parent? || member_action?
|
||||
end
|
||||
|
||||
def load_collection?
|
||||
resource_base.respond_to?(:accessible_by) &&
|
||||
!current_ability.has_block?(authorization_action, resource_class)
|
||||
resource_base.respond_to?(:accessible_by) && !current_ability.has_block?(authorization_action, resource_class)
|
||||
end
|
||||
|
||||
def load_collection
|
||||
@ -116,7 +119,7 @@ module CanCan
|
||||
end
|
||||
|
||||
def resource_instance
|
||||
@controller.instance_variable_get("@#{instance_name}")
|
||||
@controller.instance_variable_get("@#{instance_name}") if load_instance?
|
||||
end
|
||||
|
||||
def collection_instance=(instance)
|
||||
|
@ -91,6 +91,22 @@ describe CanCan::ControllerResource do
|
||||
@controller.instance_variable_defined?(:@projects).should be_false
|
||||
end
|
||||
|
||||
it "should not authorize single resource in collection action" do
|
||||
@params[:action] = "index"
|
||||
@controller.instance_variable_set(:@project, :some_project)
|
||||
stub(@controller).authorize!(:index, Project) { raise CanCan::AccessDenied }
|
||||
resource = CanCan::ControllerResource.new(@controller)
|
||||
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||
end
|
||||
|
||||
it "should authorize parent resource in collection action" do
|
||||
@params[:action] = "index"
|
||||
@controller.instance_variable_set(:@category, :some_category)
|
||||
stub(@controller).authorize!(:read, :some_category) { raise CanCan::AccessDenied }
|
||||
resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
|
||||
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||
end
|
||||
|
||||
it "should perform authorization using controller action and loaded model" do
|
||||
@params[:action] = "show"
|
||||
@controller.instance_variable_set(:@project, :some_project)
|
||||
|
Loading…
x
Reference in New Issue
Block a user