don't authorize uncountable instance in collection action - closes #193

This commit is contained in:
Ryan Bates 2011-01-05 13:47:38 -08:00
parent 15ca8ade3b
commit bc9ecb226d
2 changed files with 23 additions and 4 deletions

View File

@ -26,7 +26,7 @@ module CanCan
end end
def load_resource def load_resource
if parent? || member_action? if load_instance?
self.resource_instance ||= load_resource_instance self.resource_instance ||= load_resource_instance
elsif load_collection? elsif load_collection?
self.collection_instance ||= load_collection self.collection_instance ||= load_collection
@ -51,9 +51,12 @@ module CanCan
end end
end end
def load_instance?
parent? || member_action?
end
def load_collection? def load_collection?
resource_base.respond_to?(:accessible_by) && resource_base.respond_to?(:accessible_by) && !current_ability.has_block?(authorization_action, resource_class)
!current_ability.has_block?(authorization_action, resource_class)
end end
def load_collection def load_collection
@ -116,7 +119,7 @@ module CanCan
end end
def resource_instance def resource_instance
@controller.instance_variable_get("@#{instance_name}") @controller.instance_variable_get("@#{instance_name}") if load_instance?
end end
def collection_instance=(instance) def collection_instance=(instance)

View File

@ -91,6 +91,22 @@ describe CanCan::ControllerResource do
@controller.instance_variable_defined?(:@projects).should be_false @controller.instance_variable_defined?(:@projects).should be_false
end end
it "should not authorize single resource in collection action" do
@params[:action] = "index"
@controller.instance_variable_set(:@project, :some_project)
stub(@controller).authorize!(:index, Project) { raise CanCan::AccessDenied }
resource = CanCan::ControllerResource.new(@controller)
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
end
it "should authorize parent resource in collection action" do
@params[:action] = "index"
@controller.instance_variable_set(:@category, :some_category)
stub(@controller).authorize!(:read, :some_category) { raise CanCan::AccessDenied }
resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and loaded model" do it "should perform authorization using controller action and loaded model" do
@params[:action] = "show" @params[:action] = "show"
@controller.instance_variable_set(:@project, :some_project) @controller.instance_variable_set(:@project, :some_project)