don't authorize uncountable instance in collection action - closes #193
This commit is contained in:
Ryan Bates
parent
15ca8ade3b
commit
bc9ecb226d
|
|
@ -26,7 +26,7 @@ module CanCan
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_resource
|
def load_resource
|
||||||
if parent? || member_action?
|
if load_instance?
|
||||||
self.resource_instance ||= load_resource_instance
|
self.resource_instance ||= load_resource_instance
|
||||||
elsif load_collection?
|
elsif load_collection?
|
||||||
self.collection_instance ||= load_collection
|
self.collection_instance ||= load_collection
|
||||||
|
|
@ -51,9 +51,12 @@ module CanCan
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def load_instance?
|
||||||
|
parent? || member_action?
|
||||||
|
end
|
||||||
|
|
||||||
def load_collection?
|
def load_collection?
|
||||||
resource_base.respond_to?(:accessible_by) &&
|
resource_base.respond_to?(:accessible_by) && !current_ability.has_block?(authorization_action, resource_class)
|
||||||
!current_ability.has_block?(authorization_action, resource_class)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_collection
|
def load_collection
|
||||||
|
|
@ -116,7 +119,7 @@ module CanCan
|
||||||
end
|
end
|
||||||
|
|
||||||
def resource_instance
|
def resource_instance
|
||||||
@controller.instance_variable_get("@#{instance_name}")
|
@controller.instance_variable_get("@#{instance_name}") if load_instance?
|
||||||
end
|
end
|
||||||
|
|
||||||
def collection_instance=(instance)
|
def collection_instance=(instance)
|
||||||
|
|
|
||||||
|
|
@ -91,6 +91,22 @@ describe CanCan::ControllerResource do
|
||||||
@controller.instance_variable_defined?(:@projects).should be_false
|
@controller.instance_variable_defined?(:@projects).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should not authorize single resource in collection action" do
|
||||||
|
@params[:action] = "index"
|
||||||
|
@controller.instance_variable_set(:@project, :some_project)
|
||||||
|
stub(@controller).authorize!(:index, Project) { raise CanCan::AccessDenied }
|
||||||
|
resource = CanCan::ControllerResource.new(@controller)
|
||||||
|
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should authorize parent resource in collection action" do
|
||||||
|
@params[:action] = "index"
|
||||||
|
@controller.instance_variable_set(:@category, :some_category)
|
||||||
|
stub(@controller).authorize!(:read, :some_category) { raise CanCan::AccessDenied }
|
||||||
|
resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
|
||||||
|
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||||
|
end
|
||||||
|
|
||||||
it "should perform authorization using controller action and loaded model" do
|
it "should perform authorization using controller action and loaded model" do
|
||||||
@params[:action] = "show"
|
@params[:action] = "show"
|
||||||
@controller.instance_variable_set(:@project, :some_project)
|
@controller.instance_variable_set(:@project, :some_project)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user