improving inline documentation
This commit is contained in:
parent
7543eedd6a
commit
dfd84a10ed
|
@ -1,4 +1,4 @@
|
||||||
* Fix issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66
|
* Fixing issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66
|
||||||
|
|
||||||
* Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62
|
* Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
module CanCan
|
module CanCan
|
||||||
|
|
||||||
# This module is designed to be included into an Ability class. This will
|
# This module is designed to be included into an Ability class. This will
|
||||||
# provide the "can" methods for defining and checking abilities.
|
# provide the "can" methods for defining and checking abilities.
|
||||||
#
|
#
|
||||||
# class Ability
|
# class Ability
|
||||||
# include CanCan::Ability
|
# include CanCan::Ability
|
||||||
#
|
#
|
||||||
|
@ -14,179 +14,180 @@ module CanCan
|
||||||
# end
|
# end
|
||||||
# end
|
# end
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
module Ability
|
module Ability
|
||||||
# Use to check the user's permission for a given action and object.
|
# Use to check if the user has permission to perform a given action on an object.
|
||||||
#
|
#
|
||||||
# can? :destroy, @project
|
# can? :destroy, @project
|
||||||
#
|
#
|
||||||
# You can also pass the class instead of an instance (if you don't have one handy).
|
# You can also pass the class instead of an instance (if you don't have one handy).
|
||||||
#
|
#
|
||||||
# can? :create, Project
|
# can? :create, Project
|
||||||
#
|
#
|
||||||
# Any additional arguments will be passed into the "can" block definition. This
|
# Any additional arguments will be passed into the "can" block definition. This
|
||||||
# can be used to pass more information about the user's request for example.
|
# can be used to pass more information about the user's request for example.
|
||||||
#
|
#
|
||||||
# can? :create, Project, request.remote_ip
|
# can? :create, Project, request.remote_ip
|
||||||
#
|
#
|
||||||
# can :create Project do |project, remote_ip|
|
# can :create Project do |project, remote_ip|
|
||||||
# # ...
|
# # ...
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# Not only can you use the can? method in the controller and view (see ControllerAdditions),
|
# Not only can you use the can? method in the controller and view (see ControllerAdditions),
|
||||||
# but you can also call it directly on an ability instance.
|
# but you can also call it directly on an ability instance.
|
||||||
#
|
#
|
||||||
# ability.can? :destroy, @project
|
# ability.can? :destroy, @project
|
||||||
#
|
#
|
||||||
# This makes testing a user's abilities very easy.
|
# This makes testing a user's abilities very easy.
|
||||||
#
|
#
|
||||||
# def test "user can only destroy projects which he owns"
|
# def test "user can only destroy projects which he owns"
|
||||||
# user = User.new
|
# user = User.new
|
||||||
# ability = Ability.new(user)
|
# ability = Ability.new(user)
|
||||||
# assert ability.can?(:destroy, Project.new(:user => user))
|
# assert ability.can?(:destroy, Project.new(:user => user))
|
||||||
# assert ability.cannot?(:destroy, Project.new)
|
# assert ability.cannot?(:destroy, Project.new)
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
|
# Also see the RSpec Matchers to aid in testing.
|
||||||
def can?(action, subject, *extra_args)
|
def can?(action, subject, *extra_args)
|
||||||
raise Error, "Nom nom nom. I eated it." if action == :has && subject == :cheezburger
|
raise Error, "Nom nom nom. I eated it." if action == :has && subject == :cheezburger
|
||||||
can_definition = matching_can_definition(action, subject)
|
can_definition = matching_can_definition(action, subject)
|
||||||
can_definition && can_definition.can?(action, subject, extra_args)
|
can_definition && can_definition.can?(action, subject, extra_args)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Convenience method which works the same as "can?" but returns the opposite value.
|
# Convenience method which works the same as "can?" but returns the opposite value.
|
||||||
#
|
#
|
||||||
# cannot? :destroy, @project
|
# cannot? :destroy, @project
|
||||||
#
|
#
|
||||||
def cannot?(*args)
|
def cannot?(*args)
|
||||||
!can?(*args)
|
!can?(*args)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Defines which abilities are allowed using two arguments. The first one is the action
|
# Defines which abilities are allowed using two arguments. The first one is the action
|
||||||
# you're setting the permission for, the second one is the class of object you're setting it on.
|
# you're setting the permission for, the second one is the class of object you're setting it on.
|
||||||
#
|
#
|
||||||
# can :update, Article
|
# can :update, Article
|
||||||
#
|
#
|
||||||
# You can pass an array for either of these parameters to match any one.
|
# You can pass an array for either of these parameters to match any one.
|
||||||
#
|
#
|
||||||
# can [:update, :destroy], [Article, Comment]
|
# can [:update, :destroy], [Article, Comment]
|
||||||
#
|
#
|
||||||
# In this case the user has the ability to update or destroy both articles and comments.
|
# In this case the user has the ability to update or destroy both articles and comments.
|
||||||
#
|
#
|
||||||
# You can pass a hash of conditions as the third argument.
|
# You can pass a hash of conditions as the third argument.
|
||||||
#
|
#
|
||||||
# can :read, Project, :active => true, :user_id => user.id
|
# can :read, Project, :active => true, :user_id => user.id
|
||||||
#
|
#
|
||||||
# Here the user can only see active projects which he owns. See ControllerAdditions#conditions for a way to
|
# Here the user can only see active projects which he owns. See ActiveRecordAdditions#accessible_by
|
||||||
# use this in database queries.
|
# for how to use this in database queries.
|
||||||
#
|
#
|
||||||
# If the conditions hash does not give you enough control over defining abilities, you can use a block to
|
# If the conditions hash does not give you enough control over defining abilities, you can use a block to
|
||||||
# write any Ruby code you want.
|
# write any Ruby code you want.
|
||||||
#
|
#
|
||||||
# can :update, Project do |project|
|
# can :update, Project do |project|
|
||||||
# project && project.groups.include?(user.group)
|
# project && project.groups.include?(user.group)
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# If the block returns true then the user has that :update ability for that project, otherwise he
|
# If the block returns true then the user has that :update ability for that project, otherwise he
|
||||||
# will be denied access. It's possible for the passed in model to be nil if one isn't specified,
|
# will be denied access. It's possible for the passed in model to be nil if one isn't specified,
|
||||||
# so be sure to take that into consideration.
|
# so be sure to take that into consideration.
|
||||||
#
|
#
|
||||||
# The downside to using a block is that it cannot be used to generate conditions for database queries.
|
# The downside to using a block is that it cannot be used to generate conditions for database queries.
|
||||||
#
|
#
|
||||||
# You can pass :all to reference every type of object. In this case the object type will be passed
|
# You can pass :all to reference every type of object. In this case the object type will be passed
|
||||||
# into the block as well (just in case object is nil).
|
# into the block as well (just in case object is nil).
|
||||||
#
|
#
|
||||||
# can :read, :all do |object_class, object|
|
# can :read, :all do |object_class, object|
|
||||||
# object_class != Order
|
# object_class != Order
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# Here the user has permission to read all objects except orders.
|
# Here the user has permission to read all objects except orders.
|
||||||
#
|
#
|
||||||
# You can also pass :manage as the action which will match any action. In this case the action is
|
# You can also pass :manage as the action which will match any action. In this case the action is
|
||||||
# passed to the block.
|
# passed to the block.
|
||||||
#
|
#
|
||||||
# can :manage, Comment do |action, comment|
|
# can :manage, Comment do |action, comment|
|
||||||
# action != :destroy
|
# action != :destroy
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# You can pass custom objects into this "can" method, this is usually done through a symbol
|
# You can pass custom objects into this "can" method, this is usually done through a symbol
|
||||||
# and is useful if a class isn't available to define permissions on.
|
# and is useful if a class isn't available to define permissions on.
|
||||||
#
|
#
|
||||||
# can :read, :stats
|
# can :read, :stats
|
||||||
# can? :read, :stats # => true
|
# can? :read, :stats # => true
|
||||||
#
|
#
|
||||||
def can(action, subject, conditions = nil, &block)
|
def can(action, subject, conditions = nil, &block)
|
||||||
can_definitions << CanDefinition.new(true, action, subject, conditions, block)
|
can_definitions << CanDefinition.new(true, action, subject, conditions, block)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Define an ability which cannot be done. Accepts the same arguments as "can".
|
# Defines an ability which cannot be done. Accepts the same arguments as "can".
|
||||||
#
|
#
|
||||||
# can :read, :all
|
# can :read, :all
|
||||||
# cannot :read, Comment
|
# cannot :read, Comment
|
||||||
#
|
#
|
||||||
# A block can be passed just like "can", however if the logic is complex it is recommended
|
# A block can be passed just like "can", however if the logic is complex it is recommended
|
||||||
# to use the "can" method.
|
# to use the "can" method.
|
||||||
#
|
#
|
||||||
# cannot :read, Product do |product|
|
# cannot :read, Product do |product|
|
||||||
# product.invisible?
|
# product.invisible?
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
def cannot(action, subject, conditions = nil, &block)
|
def cannot(action, subject, conditions = nil, &block)
|
||||||
can_definitions << CanDefinition.new(false, action, subject, conditions, block)
|
can_definitions << CanDefinition.new(false, action, subject, conditions, block)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Alias one or more actions into another one.
|
# Alias one or more actions into another one.
|
||||||
#
|
#
|
||||||
# alias_action :update, :destroy, :to => :modify
|
# alias_action :update, :destroy, :to => :modify
|
||||||
# can :modify, Comment
|
# can :modify, Comment
|
||||||
#
|
#
|
||||||
# Then :modify permission will apply to both :update and :destroy requests.
|
# Then :modify permission will apply to both :update and :destroy requests.
|
||||||
#
|
#
|
||||||
# can? :update, Comment # => true
|
# can? :update, Comment # => true
|
||||||
# can? :destroy, Comment # => true
|
# can? :destroy, Comment # => true
|
||||||
#
|
#
|
||||||
# This only works in one direction. Passing the aliased action into the "can?" call
|
# This only works in one direction. Passing the aliased action into the "can?" call
|
||||||
# will not work because aliases are meant to generate more generic actions.
|
# will not work because aliases are meant to generate more generic actions.
|
||||||
#
|
#
|
||||||
# alias_action :update, :destroy, :to => :modify
|
# alias_action :update, :destroy, :to => :modify
|
||||||
# can :update, Comment
|
# can :update, Comment
|
||||||
# can? :modify, Comment # => false
|
# can? :modify, Comment # => false
|
||||||
#
|
#
|
||||||
# Unless that exact alias is used.
|
# Unless that exact alias is used.
|
||||||
#
|
#
|
||||||
# can :modify, Comment
|
# can :modify, Comment
|
||||||
# can? :modify, Comment # => true
|
# can? :modify, Comment # => true
|
||||||
#
|
#
|
||||||
# The following aliases are added by default for conveniently mapping common controller actions.
|
# The following aliases are added by default for conveniently mapping common controller actions.
|
||||||
#
|
#
|
||||||
# alias_action :index, :show, :to => :read
|
# alias_action :index, :show, :to => :read
|
||||||
# alias_action :new, :to => :create
|
# alias_action :new, :to => :create
|
||||||
# alias_action :edit, :to => :update
|
# alias_action :edit, :to => :update
|
||||||
#
|
#
|
||||||
# This way one can use params[:action] in the controller to determine the permission.
|
# This way one can use params[:action] in the controller to determine the permission.
|
||||||
def alias_action(*args)
|
def alias_action(*args)
|
||||||
target = args.pop[:to]
|
target = args.pop[:to]
|
||||||
aliased_actions[target] ||= []
|
aliased_actions[target] ||= []
|
||||||
aliased_actions[target] += args
|
aliased_actions[target] += args
|
||||||
end
|
end
|
||||||
|
|
||||||
# Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
|
# Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
|
||||||
def aliased_actions
|
def aliased_actions
|
||||||
@aliased_actions ||= default_alias_actions
|
@aliased_actions ||= default_alias_actions
|
||||||
end
|
end
|
||||||
|
|
||||||
# Removes previously aliased actions including the defaults.
|
# Removes previously aliased actions including the defaults.
|
||||||
def clear_aliased_actions
|
def clear_aliased_actions
|
||||||
@aliased_actions = {}
|
@aliased_actions = {}
|
||||||
end
|
end
|
||||||
|
|
||||||
# Returns a hash of conditions which match the given ability. This is useful if you need to generate a database
|
# Returns a hash of conditions which match the given ability. This is useful if you need to generate a database
|
||||||
# query based on the current ability.
|
# query based on the current ability.
|
||||||
#
|
#
|
||||||
# can :read, Article, :visible => true
|
# can :read, Article, :visible => true
|
||||||
# conditions :read, Article # returns { :visible => true }
|
# conditions :read, Article # returns { :visible => true }
|
||||||
#
|
#
|
||||||
# Normally you will not call this method directly, but instead go through ActiveRecordAdditions#accessible_by method.
|
# Normally you will not call this method directly, but instead go through ActiveRecordAdditions#accessible_by method.
|
||||||
#
|
#
|
||||||
# If the ability is not defined then false is returned so be sure to take that into consideration.
|
# If the ability is not defined then false is returned so be sure to take that into consideration.
|
||||||
# If the ability is defined using a block then this will raise an exception since a hash of conditions cannot be
|
# If the ability is defined using a block then this will raise an exception since a hash of conditions cannot be
|
||||||
# determined from that.
|
# determined from that.
|
||||||
|
@ -199,7 +200,7 @@ module CanCan
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Returns the associations used in conditions. This is usually used in the :joins option for a search.
|
# Returns the associations used in conditions. This is usually used in the :joins option for a search.
|
||||||
# See ActiveRecordAdditions#accessible_by for use in Active Record.
|
# See ActiveRecordAdditions#accessible_by for use in Active Record.
|
||||||
def association_joins(action, subject)
|
def association_joins(action, subject)
|
||||||
|
@ -211,18 +212,18 @@ module CanCan
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def can_definitions
|
def can_definitions
|
||||||
@can_definitions ||= []
|
@can_definitions ||= []
|
||||||
end
|
end
|
||||||
|
|
||||||
def matching_can_definition(action, subject)
|
def matching_can_definition(action, subject)
|
||||||
can_definitions.reverse.detect do |can_definition|
|
can_definitions.reverse.detect do |can_definition|
|
||||||
can_definition.expand_actions(aliased_actions)
|
can_definition.expand_actions(aliased_actions)
|
||||||
can_definition.matches? action, subject
|
can_definition.matches? action, subject
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def default_alias_actions
|
def default_alias_actions
|
||||||
{
|
{
|
||||||
:read => [:index, :show],
|
:read => [:index, :show],
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
module CanCan
|
module CanCan
|
||||||
# This module is automatically included into all Active Record.
|
# This module is automatically included into all Active Record models.
|
||||||
module ActiveRecordAdditions
|
module ActiveRecordAdditions
|
||||||
module ClassMethods
|
module ClassMethods
|
||||||
# Returns a scope which fetches only the records that the passed ability
|
# Returns a scope which fetches only the records that the passed ability
|
||||||
|
@ -7,16 +7,16 @@ module CanCan
|
||||||
# is usually called from a controller and passed the +current_ability+.
|
# is usually called from a controller and passed the +current_ability+.
|
||||||
#
|
#
|
||||||
# @articles = Article.accessible_by(current_ability)
|
# @articles = Article.accessible_by(current_ability)
|
||||||
#
|
#
|
||||||
# Here only the articles which the user is able to read will be returned.
|
# Here only the articles which the user is able to read will be returned.
|
||||||
# If the user does not have permission to read any articles then an empty
|
# If the user does not have permission to read any articles then an empty
|
||||||
# result is returned. Since this is a scope it can be combined with any
|
# result is returned. Since this is a scope it can be combined with any
|
||||||
# other scopes or pagination.
|
# other scopes or pagination.
|
||||||
#
|
#
|
||||||
# An alternative action can optionally be passed as a second argument.
|
# An alternative action can optionally be passed as a second argument.
|
||||||
#
|
#
|
||||||
# @articles = Article.accessible_by(current_ability, :update)
|
# @articles = Article.accessible_by(current_ability, :update)
|
||||||
#
|
#
|
||||||
# Here only the articles which the user can update are returned. This
|
# Here only the articles which the user can update are returned. This
|
||||||
# internally uses Ability#conditions method, see that for more information.
|
# internally uses Ability#conditions method, see that for more information.
|
||||||
def accessible_by(ability, action = :read)
|
def accessible_by(ability, action = :read)
|
||||||
|
@ -29,7 +29,7 @@ module CanCan
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.included(base)
|
def self.included(base)
|
||||||
base.extend ClassMethods
|
base.extend ClassMethods
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,9 +1,15 @@
|
||||||
module CanCan
|
module CanCan
|
||||||
# This class is used internally and should only be called through Ability.
|
# This class is used internally and should only be called through Ability.
|
||||||
|
# it holds the information about a "can" call made on Ability and provides
|
||||||
|
# helpful methods to determine permission checking and conditions hash generation.
|
||||||
class CanDefinition # :nodoc:
|
class CanDefinition # :nodoc:
|
||||||
include ActiveSupport::Inflector
|
include ActiveSupport::Inflector
|
||||||
attr_reader :block
|
attr_reader :block
|
||||||
|
|
||||||
|
# The first argument when initializing is the base_behavior which is a true/false
|
||||||
|
# value. True for "can" and false for "cannot". The next two arguments are the action
|
||||||
|
# and subject respectively (such as :read, @project). The third argument is a hash
|
||||||
|
# of conditions and the last one is the block passed to the "can" call.
|
||||||
def initialize(base_behavior, action, subject, conditions, block)
|
def initialize(base_behavior, action, subject, conditions, block)
|
||||||
@base_behavior = base_behavior
|
@base_behavior = base_behavior
|
||||||
@actions = [action].flatten
|
@actions = [action].flatten
|
||||||
|
@ -11,27 +17,31 @@ module CanCan
|
||||||
@conditions = conditions || {}
|
@conditions = conditions || {}
|
||||||
@block = block
|
@block = block
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Accepts a hash of aliased actions and returns an array of actions which match.
|
||||||
|
# This should be called before "matches?" and other checking methods since they
|
||||||
|
# rely on the actions to be expanded.
|
||||||
def expand_actions(aliased_actions)
|
def expand_actions(aliased_actions)
|
||||||
@expanded_actions = @actions.map do |action|
|
@expanded_actions = @actions.map do |action|
|
||||||
aliased_actions[action] ? [action, *aliased_actions[action]] : action
|
aliased_actions[action] ? [action, *aliased_actions[action]] : action
|
||||||
end.flatten
|
end.flatten
|
||||||
end
|
end
|
||||||
|
|
||||||
def matches?(action, subject)
|
def matches?(action, subject)
|
||||||
matches_action?(action) && matches_subject?(subject)
|
matches_action?(action) && matches_subject?(subject)
|
||||||
end
|
end
|
||||||
|
|
||||||
def can?(action, subject, extra_args)
|
def can?(action, subject, extra_args)
|
||||||
result = can_without_base_behavior?(action, subject, extra_args)
|
result = can_without_base_behavior?(action, subject, extra_args)
|
||||||
@base_behavior ? result : !result
|
@base_behavior ? result : !result
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns a hash of conditions. If the ":tableize => true" option is passed
|
||||||
|
# it will pluralize the association conditions to match the table name.
|
||||||
def conditions(options = {})
|
def conditions(options = {})
|
||||||
if options[:tableize] and @conditions.kind_of? Hash
|
if options[:tableize] && @conditions.kind_of?(Hash)
|
||||||
@conditions.inject({}) do |tableized_conditions, (name, value)|
|
@conditions.inject({}) do |tableized_conditions, (name, value)|
|
||||||
name = tableize(name).to_sym if value.kind_of? Hash
|
name = tableize(name).to_sym if value.kind_of? Hash
|
||||||
|
|
||||||
tableized_conditions[name] = value
|
tableized_conditions[name] = value
|
||||||
tableized_conditions
|
tableized_conditions
|
||||||
end
|
end
|
||||||
|
@ -54,17 +64,17 @@ module CanCan
|
||||||
end
|
end
|
||||||
joins unless joins.empty?
|
joins unless joins.empty?
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def matches_action?(action)
|
def matches_action?(action)
|
||||||
@expanded_actions.include?(:manage) || @expanded_actions.include?(action)
|
@expanded_actions.include?(:manage) || @expanded_actions.include?(action)
|
||||||
end
|
end
|
||||||
|
|
||||||
def matches_subject?(subject)
|
def matches_subject?(subject)
|
||||||
@subjects.include?(:all) || @subjects.include?(subject) || @subjects.any? { |sub| sub.kind_of?(Class) && subject.kind_of?(sub) }
|
@subjects.include?(:all) || @subjects.include?(subject) || @subjects.any? { |sub| sub.kind_of?(Class) && subject.kind_of?(sub) }
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_without_base_behavior?(action, subject, extra_args)
|
def can_without_base_behavior?(action, subject, extra_args)
|
||||||
if @block
|
if @block
|
||||||
call_block(action, subject, extra_args)
|
call_block(action, subject, extra_args)
|
||||||
|
@ -74,7 +84,7 @@ module CanCan
|
||||||
true
|
true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def matches_conditions?(subject, conditions = @conditions)
|
def matches_conditions?(subject, conditions = @conditions)
|
||||||
conditions.all? do |name, value|
|
conditions.all? do |name, value|
|
||||||
attribute = subject.send(name)
|
attribute = subject.send(name)
|
||||||
|
@ -91,7 +101,7 @@ module CanCan
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def call_block(action, subject, extra_args)
|
def call_block(action, subject, extra_args)
|
||||||
block_args = []
|
block_args = []
|
||||||
block_args << action if @expanded_actions.include?(:manage)
|
block_args << action if @expanded_actions.include?(:manage)
|
||||||
|
|
|
@ -1,35 +1,35 @@
|
||||||
module CanCan
|
module CanCan
|
||||||
|
|
||||||
# This module is automatically included into all controllers.
|
# This module is automatically included into all controllers.
|
||||||
# It also makes the "can?" and "cannot?" methods available to all views.
|
# It also makes the "can?" and "cannot?" methods available to all views.
|
||||||
module ControllerAdditions
|
module ControllerAdditions
|
||||||
module ClassMethods
|
module ClassMethods
|
||||||
# Sets up a before filter which loads and authorizes the current resource. This performs both
|
# Sets up a before filter which loads and authorizes the current resource. This performs both
|
||||||
# load_resource and authorize_resource and accepts the same arguments. See those methods for details.
|
# load_resource and authorize_resource and accepts the same arguments. See those methods for details.
|
||||||
#
|
#
|
||||||
# class BooksController < ApplicationController
|
# class BooksController < ApplicationController
|
||||||
# load_and_authorize_resource
|
# load_and_authorize_resource
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
def load_and_authorize_resource(options = {})
|
def load_and_authorize_resource(options = {})
|
||||||
ResourceAuthorization.add_before_filter(self, :load_and_authorize_resource, options)
|
ResourceAuthorization.add_before_filter(self, :load_and_authorize_resource, options)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Sets up a before filter which loads the appropriate model resource into an instance variable.
|
# Sets up a before filter which loads the appropriate model resource into an instance variable.
|
||||||
# For example, given an ArticlesController it will load the current article into the @article
|
# For example, given an ArticlesController it will load the current article into the @article
|
||||||
# instance variable. It does this by either calling Article.find(params[:id]) or
|
# instance variable. It does this by either calling Article.find(params[:id]) or
|
||||||
# Article.new(params[:article]) depending upon the action. It does nothing for the "index"
|
# Article.new(params[:article]) depending upon the action. It does nothing for the "index"
|
||||||
# action.
|
# action.
|
||||||
#
|
#
|
||||||
# Call this method directly on the controller class.
|
# Call this method directly on the controller class.
|
||||||
#
|
#
|
||||||
# class BooksController < ApplicationController
|
# class BooksController < ApplicationController
|
||||||
# load_resource
|
# load_resource
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# A resource is not loaded if the instance variable is already set. This makes it easy to override
|
# A resource is not loaded if the instance variable is already set. This makes it easy to override
|
||||||
# the behavior through a before_filter on certain actions.
|
# the behavior through a before_filter on certain actions.
|
||||||
#
|
#
|
||||||
# class BooksController < ApplicationController
|
# class BooksController < ApplicationController
|
||||||
# before_filter :find_book_by_permalink, :only => :show
|
# before_filter :find_book_by_permalink, :only => :show
|
||||||
# load_resource
|
# load_resource
|
||||||
|
@ -40,107 +40,107 @@ module CanCan
|
||||||
# @book = Book.find_by_permalink!(params[:id)
|
# @book = Book.find_by_permalink!(params[:id)
|
||||||
# end
|
# end
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# See load_and_authorize_resource to automatically authorize the resource too.
|
# See load_and_authorize_resource to automatically authorize the resource too.
|
||||||
#
|
#
|
||||||
# Options:
|
# Options:
|
||||||
# [:+only+]
|
# [:+only+]
|
||||||
# Only applies before filter to given actions.
|
# Only applies before filter to given actions.
|
||||||
#
|
#
|
||||||
# [:+except+]
|
# [:+except+]
|
||||||
# Does not apply before filter to given actions.
|
# Does not apply before filter to given actions.
|
||||||
#
|
#
|
||||||
# [:+nested+]
|
# [:+nested+]
|
||||||
# Specify which resource this is nested under.
|
# Specify which resource this is nested under.
|
||||||
#
|
#
|
||||||
# load_resource :nested => :author
|
# load_resource :nested => :author
|
||||||
#
|
#
|
||||||
# Deep nesting can be defined in an array.
|
# Deep nesting can be defined in an array.
|
||||||
#
|
#
|
||||||
# load_resource :nested => [:publisher, :author]
|
# load_resource :nested => [:publisher, :author]
|
||||||
#
|
#
|
||||||
# [:+resource+]
|
# [:+resource+]
|
||||||
# The class to use for the model (string or constant).
|
# The class to use for the model (string or constant).
|
||||||
#
|
#
|
||||||
# [:+collection+]
|
# [:+collection+]
|
||||||
# Specify which actions are resource collection actions in addition to :+index+. This
|
# Specify which actions are resource collection actions in addition to :+index+. This
|
||||||
# is usually not necessary because it will try to guess depending on if an :+id+
|
# is usually not necessary because it will try to guess depending on if an :+id+
|
||||||
# is present in +params+.
|
# is present in +params+.
|
||||||
#
|
#
|
||||||
# load_resource :collection => [:sort, :list]
|
# load_resource :collection => [:sort, :list]
|
||||||
#
|
#
|
||||||
# [:+new+]
|
# [:+new+]
|
||||||
# Specify which actions are new resource actions in addition to :+new+ and :+create+.
|
# Specify which actions are new resource actions in addition to :+new+ and :+create+.
|
||||||
# Pass an action name into here if you would like to build a new resource instead of
|
# Pass an action name into here if you would like to build a new resource instead of
|
||||||
# fetch one.
|
# fetch one.
|
||||||
#
|
#
|
||||||
# load_resource :new => :build
|
# load_resource :new => :build
|
||||||
#
|
#
|
||||||
def load_resource(options = {})
|
def load_resource(options = {})
|
||||||
ResourceAuthorization.add_before_filter(self, :load_resource, options)
|
ResourceAuthorization.add_before_filter(self, :load_resource, options)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Sets up a before filter which authorizes the current resource using the instance variable.
|
# Sets up a before filter which authorizes the current resource using the instance variable.
|
||||||
# For example, if you have an ArticlesController it will check the @article instance variable
|
# For example, if you have an ArticlesController it will check the @article instance variable
|
||||||
# and ensure the user can perform the current action on it. Under the hood it is doing
|
# and ensure the user can perform the current action on it. Under the hood it is doing
|
||||||
# something like the following.
|
# something like the following.
|
||||||
#
|
#
|
||||||
# authorize!(params[:action].to_sym, @article || Article)
|
# authorize!(params[:action].to_sym, @article || Article)
|
||||||
#
|
#
|
||||||
# Call this method directly on the controller class.
|
# Call this method directly on the controller class.
|
||||||
#
|
#
|
||||||
# class BooksController < ApplicationController
|
# class BooksController < ApplicationController
|
||||||
# authorize_resource
|
# authorize_resource
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# See load_and_authorize_resource to automatically load the resource too.
|
# See load_and_authorize_resource to automatically load the resource too.
|
||||||
#
|
#
|
||||||
# Options:
|
# Options:
|
||||||
# [:+only+]
|
# [:+only+]
|
||||||
# Only applies before filter to given actions.
|
# Only applies before filter to given actions.
|
||||||
#
|
#
|
||||||
# [:+except+]
|
# [:+except+]
|
||||||
# Does not apply before filter to given actions.
|
# Does not apply before filter to given actions.
|
||||||
#
|
#
|
||||||
# [:+resource+]
|
# [:+resource+]
|
||||||
# The class to use for the model (string or constant). Alternatively pass a symbol
|
# The class to use for the model (string or constant). Alternatively pass a symbol
|
||||||
# to represent a resource which does not have a class.
|
# to represent a resource which does not have a class.
|
||||||
#
|
#
|
||||||
def authorize_resource(options = {})
|
def authorize_resource(options = {})
|
||||||
ResourceAuthorization.add_before_filter(self, :authorize_resource, options)
|
ResourceAuthorization.add_before_filter(self, :authorize_resource, options)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.included(base)
|
def self.included(base)
|
||||||
base.extend ClassMethods
|
base.extend ClassMethods
|
||||||
base.helper_method :can?, :cannot?
|
base.helper_method :can?, :cannot?
|
||||||
end
|
end
|
||||||
|
|
||||||
# Raises a CanCan::AccessDenied exception if the current_ability cannot
|
# Raises a CanCan::AccessDenied exception if the current_ability cannot
|
||||||
# perform the given action. This is usually called in a controller action or
|
# perform the given action. This is usually called in a controller action or
|
||||||
# before filter to perform the authorization.
|
# before filter to perform the authorization.
|
||||||
#
|
#
|
||||||
# def show
|
# def show
|
||||||
# @article = Article.find(params[:id])
|
# @article = Article.find(params[:id])
|
||||||
# authorize! :read, @article
|
# authorize! :read, @article
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# A :message option can be passed to specify a different message.
|
# A :message option can be passed to specify a different message.
|
||||||
#
|
#
|
||||||
# authorize! :read, @article, :message => "Not authorized to read #{@article.name}"
|
# authorize! :read, @article, :message => "Not authorized to read #{@article.name}"
|
||||||
#
|
#
|
||||||
# You can rescue from the exception in the controller to customize how unauthorized
|
# You can rescue from the exception in the controller to customize how unauthorized
|
||||||
# access is displayed to the user.
|
# access is displayed to the user.
|
||||||
#
|
#
|
||||||
# class ApplicationController < ActionController::Base
|
# class ApplicationController < ActionController::Base
|
||||||
# rescue_from CanCan::AccessDenied do |exception|
|
# rescue_from CanCan::AccessDenied do |exception|
|
||||||
# flash[:error] = exception.message
|
# flash[:error] = exception.message
|
||||||
# redirect_to root_url
|
# redirect_to root_url
|
||||||
# end
|
# end
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# See the CanCan::AccessDenied exception for more details on working with the exception.
|
# See the CanCan::AccessDenied exception for more details on working with the exception.
|
||||||
#
|
#
|
||||||
# See the load_and_authorize_resource method to automatically add the authorize! behavior
|
# See the load_and_authorize_resource method to automatically add the authorize! behavior
|
||||||
# to the default RESTful actions.
|
# to the default RESTful actions.
|
||||||
def authorize!(action, subject, *args)
|
def authorize!(action, subject, *args)
|
||||||
|
@ -150,46 +150,46 @@ module CanCan
|
||||||
end
|
end
|
||||||
raise AccessDenied.new(message, action, subject) if cannot?(action, subject, *args)
|
raise AccessDenied.new(message, action, subject) if cannot?(action, subject, *args)
|
||||||
end
|
end
|
||||||
|
|
||||||
def unauthorized!(message = nil)
|
def unauthorized!(message = nil)
|
||||||
raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
|
raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
|
||||||
end
|
end
|
||||||
|
|
||||||
# Creates and returns the current user's ability and caches it. If you
|
# Creates and returns the current user's ability and caches it. If you
|
||||||
# want to override how the Ability is defined then this is the place.
|
# want to override how the Ability is defined then this is the place.
|
||||||
# Just define the method in the controller to change behavior.
|
# Just define the method in the controller to change behavior.
|
||||||
#
|
#
|
||||||
# def current_ability
|
# def current_ability
|
||||||
# # instead of Ability.new(current_user)
|
# # instead of Ability.new(current_user)
|
||||||
# @current_ability ||= UserAbility.new(current_account)
|
# @current_ability ||= UserAbility.new(current_account)
|
||||||
# end
|
# end
|
||||||
#
|
#
|
||||||
# Notice it is important to cache the ability object so it is not
|
# Notice it is important to cache the ability object so it is not
|
||||||
# recreated every time.
|
# recreated every time.
|
||||||
def current_ability
|
def current_ability
|
||||||
@current_ability ||= ::Ability.new(current_user)
|
@current_ability ||= ::Ability.new(current_user)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Use in the controller or view to check the user's permission for a given action
|
# Use in the controller or view to check the user's permission for a given action
|
||||||
# and object.
|
# and object.
|
||||||
#
|
#
|
||||||
# can? :destroy, @project
|
# can? :destroy, @project
|
||||||
#
|
#
|
||||||
# You can also pass the class instead of an instance (if you don't have one handy).
|
# You can also pass the class instead of an instance (if you don't have one handy).
|
||||||
#
|
#
|
||||||
# <% if can? :create, Project %>
|
# <% if can? :create, Project %>
|
||||||
# <%= link_to "New Project", new_project_path %>
|
# <%= link_to "New Project", new_project_path %>
|
||||||
# <% end %>
|
# <% end %>
|
||||||
#
|
#
|
||||||
# This simply calls "can?" on the current_ability. See Ability#can?.
|
# This simply calls "can?" on the current_ability. See Ability#can?.
|
||||||
def can?(*args)
|
def can?(*args)
|
||||||
current_ability.can?(*args)
|
current_ability.can?(*args)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Convenience method which works the same as "can?" but returns the opposite value.
|
# Convenience method which works the same as "can?" but returns the opposite value.
|
||||||
#
|
#
|
||||||
# cannot? :destroy, @project
|
# cannot? :destroy, @project
|
||||||
#
|
#
|
||||||
def cannot?(*args)
|
def cannot?(*args)
|
||||||
current_ability.cannot?(*args)
|
current_ability.cannot?(*args)
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
module CanCan
|
module CanCan
|
||||||
# Used internally to load and authorize a given controller resource.
|
# Used internally to load and authorize a given controller resource.
|
||||||
|
# This manages finding or building an instance of the resource. If a
|
||||||
|
# parent is given it will go through the association.
|
||||||
class ControllerResource # :nodoc:
|
class ControllerResource # :nodoc:
|
||||||
def initialize(controller, name, parent = nil, options = {})
|
def initialize(controller, name, parent = nil, options = {})
|
||||||
raise ImplementationRemoved, "The :class option has been renamed to :resource for specifying the class in CanCan." if options.has_key? :class
|
raise ImplementationRemoved, "The :class option has been renamed to :resource for specifying the class in CanCan." if options.has_key? :class
|
||||||
|
@ -9,6 +11,9 @@ module CanCan
|
||||||
@options = options
|
@options = options
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the class used for this resource. This can be overriden by the :resource option.
|
||||||
|
# Sometimes one will use a symbol as the resource if a class does not exist for it. In that
|
||||||
|
# case "find" and "build" should not be called on it.
|
||||||
def model_class
|
def model_class
|
||||||
resource_class = @options[:resource]
|
resource_class = @options[:resource]
|
||||||
if resource_class.nil?
|
if resource_class.nil?
|
||||||
|
@ -16,7 +21,7 @@ module CanCan
|
||||||
elsif resource_class.kind_of? String
|
elsif resource_class.kind_of? String
|
||||||
resource_class.constantize
|
resource_class.constantize
|
||||||
else
|
else
|
||||||
resource_class # likely a symbol
|
resource_class # could be a symbol
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -24,12 +29,10 @@ module CanCan
|
||||||
self.model_instance ||= base.find(id)
|
self.model_instance ||= base.find(id)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Build a new instance of this resource. If it is a class we just call "new" otherwise
|
||||||
|
# it's an associaiton and "build" is used.
|
||||||
def build(attributes)
|
def build(attributes)
|
||||||
if base.kind_of? Class
|
self.model_instance ||= (base.kind_of?(Class) ? base.new(attributes) : base.build(attributes))
|
||||||
self.model_instance ||= base.new(attributes)
|
|
||||||
else
|
|
||||||
self.model_instance ||= base.build(attributes)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def model_instance
|
def model_instance
|
||||||
|
@ -42,6 +45,8 @@ module CanCan
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
# The object that methods (such as "find", "new" or "build") are called on.
|
||||||
|
# If there is a parent it will be the association, otherwise it will be the model's class.
|
||||||
def base
|
def base
|
||||||
@parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
|
@parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,41 +1,41 @@
|
||||||
module CanCan
|
module CanCan
|
||||||
# A general CanCan exception
|
# A general CanCan exception
|
||||||
class Error < StandardError; end
|
class Error < StandardError; end
|
||||||
|
|
||||||
# Raised when removed code is called, an alternative solution is provided in message.
|
# Raised when removed code is called, an alternative solution is provided in message.
|
||||||
class ImplementationRemoved < Error; end
|
class ImplementationRemoved < Error; end
|
||||||
|
|
||||||
# This error is raised when a user isn't allowed to access a given controller action.
|
# This error is raised when a user isn't allowed to access a given controller action.
|
||||||
# This usually happens within a call to ControllerAdditions#authorize! but can be
|
# This usually happens within a call to ControllerAdditions#authorize! but can be
|
||||||
# raised manually.
|
# raised manually.
|
||||||
#
|
#
|
||||||
# raise CanCan::AccessDenied.new("Not authorized!", :read, Article)
|
# raise CanCan::AccessDenied.new("Not authorized!", :read, Article)
|
||||||
#
|
#
|
||||||
# The passed message, action, and subject are optional and can later be retrieved when
|
# The passed message, action, and subject are optional and can later be retrieved when
|
||||||
# rescuing from the exception.
|
# rescuing from the exception.
|
||||||
#
|
#
|
||||||
# exception.message # => "Not authorized!"
|
# exception.message # => "Not authorized!"
|
||||||
# exception.action # => :read
|
# exception.action # => :read
|
||||||
# exception.subject # => Article
|
# exception.subject # => Article
|
||||||
#
|
#
|
||||||
# If the message is not specified (or is nil) it will default to "You are anot authorized
|
# If the message is not specified (or is nil) it will default to "You are not authorized
|
||||||
# to access this page." This default can be overridden by setting default_message.
|
# to access this page." This default can be overridden by setting default_message.
|
||||||
#
|
#
|
||||||
# exception.default_message = "Default error message"
|
# exception.default_message = "Default error message"
|
||||||
# exception.message # => "Default error message"
|
# exception.message # => "Default error message"
|
||||||
#
|
#
|
||||||
# See ControllerAdditions#authorized! for more information on rescuing from this exception.
|
# See ControllerAdditions#authorized! for more information on rescuing from this exception.
|
||||||
class AccessDenied < Error
|
class AccessDenied < Error
|
||||||
attr_reader :action, :subject
|
attr_reader :action, :subject
|
||||||
attr_writer :default_message
|
attr_writer :default_message
|
||||||
|
|
||||||
def initialize(message = nil, action = nil, subject = nil)
|
def initialize(message = nil, action = nil, subject = nil)
|
||||||
@message = message
|
@message = message
|
||||||
@action = action
|
@action = action
|
||||||
@subject = subject
|
@subject = subject
|
||||||
@default_message = "You are not authorized to access this page."
|
@default_message = "You are not authorized to access this page."
|
||||||
end
|
end
|
||||||
|
|
||||||
def to_s
|
def to_s
|
||||||
@message || @default_message
|
@message || @default_message
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,18 +7,18 @@ module CanCan
|
||||||
ResourceAuthorization.new(controller, controller.params, options.except(:only, :except)).send(method)
|
ResourceAuthorization.new(controller, controller.params, options.except(:only, :except)).send(method)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def initialize(controller, params, options = {})
|
def initialize(controller, params, options = {})
|
||||||
@controller = controller
|
@controller = controller
|
||||||
@params = params
|
@params = params
|
||||||
@options = options
|
@options = options
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_and_authorize_resource
|
def load_and_authorize_resource
|
||||||
load_resource
|
load_resource
|
||||||
authorize_resource
|
authorize_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_resource
|
def load_resource
|
||||||
unless collection_actions.include? @params[:action].to_sym
|
unless collection_actions.include? @params[:action].to_sym
|
||||||
if new_actions.include? @params[:action].to_sym
|
if new_actions.include? @params[:action].to_sym
|
||||||
|
@ -28,17 +28,17 @@ module CanCan
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_resource
|
def authorize_resource
|
||||||
@controller.authorize!(@params[:action].to_sym, resource.model_instance || resource.model_class)
|
@controller.authorize!(@params[:action].to_sym, resource.model_instance || resource.model_class)
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def resource
|
def resource
|
||||||
@resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
|
@resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
|
||||||
end
|
end
|
||||||
|
|
||||||
def parent_resource
|
def parent_resource
|
||||||
parent = nil
|
parent = nil
|
||||||
[@options[:nested]].flatten.compact.each do |name|
|
[@options[:nested]].flatten.compact.each do |name|
|
||||||
|
@ -52,15 +52,15 @@ module CanCan
|
||||||
end
|
end
|
||||||
parent
|
parent
|
||||||
end
|
end
|
||||||
|
|
||||||
def model_name
|
def model_name
|
||||||
@params[:controller].sub("Controller", "").underscore.split('/').last.singularize
|
@params[:controller].sub("Controller", "").underscore.split('/').last.singularize
|
||||||
end
|
end
|
||||||
|
|
||||||
def collection_actions
|
def collection_actions
|
||||||
[:index] + [@options[:collection]].flatten
|
[:index] + [@options[:collection]].flatten
|
||||||
end
|
end
|
||||||
|
|
||||||
def new_actions
|
def new_actions
|
||||||
[:new, :create] + [@options[:new]].flatten
|
[:new, :create] + [@options[:new]].flatten
|
||||||
end
|
end
|
||||||
|
|
|
@ -5,17 +5,17 @@ describe CanCan::Ability do
|
||||||
@ability = Object.new
|
@ability = Object.new
|
||||||
@ability.extend(CanCan::Ability)
|
@ability.extend(CanCan::Ability)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should be able to :read anything" do
|
it "should be able to :read anything" do
|
||||||
@ability.can :read, :all
|
@ability.can :read, :all
|
||||||
@ability.can?(:read, String).should be_true
|
@ability.can?(:read, String).should be_true
|
||||||
@ability.can?(:read, 123).should be_true
|
@ability.can?(:read, 123).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not have permission to do something it doesn't know about" do
|
it "should not have permission to do something it doesn't know about" do
|
||||||
@ability.can?(:foodfight, String).should be_false
|
@ability.can?(:foodfight, String).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return what block returns on a can call" do
|
it "should return what block returns on a can call" do
|
||||||
@ability.can :read, :all
|
@ability.can :read, :all
|
||||||
@ability.can :read, Symbol do |sym|
|
@ability.can :read, Symbol do |sym|
|
||||||
|
@ -24,21 +24,21 @@ describe CanCan::Ability do
|
||||||
@ability.can?(:read, Symbol).should be_nil
|
@ability.can?(:read, Symbol).should be_nil
|
||||||
@ability.can?(:read, :some_symbol).should == :some_symbol
|
@ability.can?(:read, :some_symbol).should == :some_symbol
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should pass class with object if :all objects are accepted" do
|
it "should pass class with object if :all objects are accepted" do
|
||||||
@ability.can :preview, :all do |object_class, object|
|
@ability.can :preview, :all do |object_class, object|
|
||||||
[object_class, object]
|
[object_class, object]
|
||||||
end
|
end
|
||||||
@ability.can?(:preview, 123).should == [Fixnum, 123]
|
@ability.can?(:preview, 123).should == [Fixnum, 123]
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should pass class with no object if :all objects are accepted and class is passed directly" do
|
it "should pass class with no object if :all objects are accepted and class is passed directly" do
|
||||||
@ability.can :preview, :all do |object_class, object|
|
@ability.can :preview, :all do |object_class, object|
|
||||||
[object_class, object]
|
[object_class, object]
|
||||||
end
|
end
|
||||||
@ability.can?(:preview, Hash).should == [Hash, nil]
|
@ability.can?(:preview, Hash).should == [Hash, nil]
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should pass action and object for global manage actions" do
|
it "should pass action and object for global manage actions" do
|
||||||
@ability.can :manage, Array do |action, object|
|
@ability.can :manage, Array do |action, object|
|
||||||
[action, object]
|
[action, object]
|
||||||
|
@ -46,14 +46,14 @@ describe CanCan::Ability do
|
||||||
@ability.can?(:stuff, [1, 2]).should == [:stuff, [1, 2]]
|
@ability.can?(:stuff, [1, 2]).should == [:stuff, [1, 2]]
|
||||||
@ability.can?(:stuff, Array).should == [:stuff, nil]
|
@ability.can?(:stuff, Array).should == [:stuff, nil]
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should alias update or destroy actions to modify action" do
|
it "should alias update or destroy actions to modify action" do
|
||||||
@ability.alias_action :update, :destroy, :to => :modify
|
@ability.alias_action :update, :destroy, :to => :modify
|
||||||
@ability.can(:modify, :all) { :modify_called }
|
@ability.can(:modify, :all) { :modify_called }
|
||||||
@ability.can?(:update, 123).should == :modify_called
|
@ability.can?(:update, 123).should == :modify_called
|
||||||
@ability.can?(:destroy, 123).should == :modify_called
|
@ability.can?(:destroy, 123).should == :modify_called
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return block result for action, object_class, and object for any action" do
|
it "should return block result for action, object_class, and object for any action" do
|
||||||
@ability.can :manage, :all do |action, object_class, object|
|
@ability.can :manage, :all do |action, object_class, object|
|
||||||
[action, object_class, object]
|
[action, object_class, object]
|
||||||
|
@ -61,56 +61,56 @@ describe CanCan::Ability do
|
||||||
@ability.can?(:foo, 123).should == [:foo, Fixnum, 123]
|
@ability.can?(:foo, 123).should == [:foo, Fixnum, 123]
|
||||||
@ability.can?(:bar, Fixnum).should == [:bar, Fixnum, nil]
|
@ability.can?(:bar, Fixnum).should == [:bar, Fixnum, nil]
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should automatically alias index and show into read calls" do
|
it "should automatically alias index and show into read calls" do
|
||||||
@ability.can :read, :all
|
@ability.can :read, :all
|
||||||
@ability.can?(:index, 123).should be_true
|
@ability.can?(:index, 123).should be_true
|
||||||
@ability.can?(:show, 123).should be_true
|
@ability.can?(:show, 123).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should automatically alias new and edit into create and update respectively" do
|
it "should automatically alias new and edit into create and update respectively" do
|
||||||
@ability.can(:create, :all) { :create_called }
|
@ability.can(:create, :all) { :create_called }
|
||||||
@ability.can(:update, :all) { :update_called }
|
@ability.can(:update, :all) { :update_called }
|
||||||
@ability.can?(:new, 123).should == :create_called
|
@ability.can?(:new, 123).should == :create_called
|
||||||
@ability.can?(:edit, 123).should == :update_called
|
@ability.can?(:edit, 123).should == :update_called
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not respond to prepare (now using initialize)" do
|
it "should not respond to prepare (now using initialize)" do
|
||||||
@ability.should_not respond_to(:prepare)
|
@ability.should_not respond_to(:prepare)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should offer cannot? method which is simply invert of can?" do
|
it "should offer cannot? method which is simply invert of can?" do
|
||||||
@ability.cannot?(:tie, String).should be_true
|
@ability.cannot?(:tie, String).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should be able to specify multiple actions and match any" do
|
it "should be able to specify multiple actions and match any" do
|
||||||
@ability.can [:read, :update], :all
|
@ability.can [:read, :update], :all
|
||||||
@ability.can?(:read, 123).should be_true
|
@ability.can?(:read, 123).should be_true
|
||||||
@ability.can?(:update, 123).should be_true
|
@ability.can?(:update, 123).should be_true
|
||||||
@ability.can?(:count, 123).should be_false
|
@ability.can?(:count, 123).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should be able to specify multiple classes and match any" do
|
it "should be able to specify multiple classes and match any" do
|
||||||
@ability.can :update, [String, Array]
|
@ability.can :update, [String, Array]
|
||||||
@ability.can?(:update, "foo").should be_true
|
@ability.can?(:update, "foo").should be_true
|
||||||
@ability.can?(:update, []).should be_true
|
@ability.can?(:update, []).should be_true
|
||||||
@ability.can?(:update, 123).should be_false
|
@ability.can?(:update, 123).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should support custom objects in the can definition" do
|
it "should support custom objects in the can definition" do
|
||||||
@ability.can :read, :stats
|
@ability.can :read, :stats
|
||||||
@ability.can?(:read, :stats).should be_true
|
@ability.can?(:read, :stats).should be_true
|
||||||
@ability.can?(:update, :stats).should be_false
|
@ability.can?(:update, :stats).should be_false
|
||||||
@ability.can?(:read, :nonstats).should be_false
|
@ability.can?(:read, :nonstats).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should support 'cannot' method to define what user cannot do" do
|
it "should support 'cannot' method to define what user cannot do" do
|
||||||
@ability.can :read, :all
|
@ability.can :read, :all
|
||||||
@ability.cannot :read, Integer
|
@ability.cannot :read, Integer
|
||||||
@ability.can?(:read, "foo").should be_true
|
@ability.can?(:read, "foo").should be_true
|
||||||
@ability.can?(:read, 123).should be_false
|
@ability.can?(:read, 123).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should support block on 'cannot' method" do
|
it "should support block on 'cannot' method" do
|
||||||
@ability.can :read, :all
|
@ability.can :read, :all
|
||||||
@ability.cannot :read, Integer do |int|
|
@ability.cannot :read, Integer do |int|
|
||||||
|
@ -120,19 +120,19 @@ describe CanCan::Ability do
|
||||||
@ability.can?(:read, 3).should be_true
|
@ability.can?(:read, 3).should be_true
|
||||||
@ability.can?(:read, 123).should be_false
|
@ability.can?(:read, 123).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should append aliased actions" do
|
it "should append aliased actions" do
|
||||||
@ability.alias_action :update, :to => :modify
|
@ability.alias_action :update, :to => :modify
|
||||||
@ability.alias_action :destroy, :to => :modify
|
@ability.alias_action :destroy, :to => :modify
|
||||||
@ability.aliased_actions[:modify].should == [:update, :destroy]
|
@ability.aliased_actions[:modify].should == [:update, :destroy]
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should clear aliased actions" do
|
it "should clear aliased actions" do
|
||||||
@ability.alias_action :update, :to => :modify
|
@ability.alias_action :update, :to => :modify
|
||||||
@ability.clear_aliased_actions
|
@ability.clear_aliased_actions
|
||||||
@ability.aliased_actions[:modify].should be_nil
|
@ability.aliased_actions[:modify].should be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should pass additional arguments to block from can?" do
|
it "should pass additional arguments to block from can?" do
|
||||||
@ability.can :read, Integer do |int, x|
|
@ability.can :read, Integer do |int, x|
|
||||||
int > x
|
int > x
|
||||||
|
@ -140,61 +140,61 @@ describe CanCan::Ability do
|
||||||
@ability.can?(:read, 2, 1).should be_true
|
@ability.can?(:read, 2, 1).should be_true
|
||||||
@ability.can?(:read, 2, 3).should be_false
|
@ability.can?(:read, 2, 3).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should use conditions as third parameter and determine abilities from it" do
|
it "should use conditions as third parameter and determine abilities from it" do
|
||||||
@ability.can :read, Array, :first => 1, :last => 3
|
@ability.can :read, Array, :first => 1, :last => 3
|
||||||
@ability.can?(:read, [1, 2, 3]).should be_true
|
@ability.can?(:read, [1, 2, 3]).should be_true
|
||||||
@ability.can?(:read, [1, 2, 3, 4]).should be_false
|
@ability.can?(:read, [1, 2, 3, 4]).should be_false
|
||||||
@ability.can?(:read, Array).should be_true
|
@ability.can?(:read, Array).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should allow an array of options in conditions hash" do
|
it "should allow an array of options in conditions hash" do
|
||||||
@ability.can :read, Array, :first => [1, 3, 5]
|
@ability.can :read, Array, :first => [1, 3, 5]
|
||||||
@ability.can?(:read, [1, 2, 3]).should be_true
|
@ability.can?(:read, [1, 2, 3]).should be_true
|
||||||
@ability.can?(:read, [2, 3]).should be_false
|
@ability.can?(:read, [2, 3]).should be_false
|
||||||
@ability.can?(:read, [3, 4]).should be_true
|
@ability.can?(:read, [3, 4]).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should allow a range of options in conditions hash" do
|
it "should allow a range of options in conditions hash" do
|
||||||
@ability.can :read, Array, :first => 1..3
|
@ability.can :read, Array, :first => 1..3
|
||||||
@ability.can?(:read, [1, 2, 3]).should be_true
|
@ability.can?(:read, [1, 2, 3]).should be_true
|
||||||
@ability.can?(:read, [3, 4]).should be_true
|
@ability.can?(:read, [3, 4]).should be_true
|
||||||
@ability.can?(:read, [4, 5]).should be_false
|
@ability.can?(:read, [4, 5]).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should allow nested hashes in conditions hash" do
|
it "should allow nested hashes in conditions hash" do
|
||||||
@ability.can :read, Array, :first => { :length => 5 }
|
@ability.can :read, Array, :first => { :length => 5 }
|
||||||
@ability.can?(:read, ["foo", "bar"]).should be_false
|
@ability.can?(:read, ["foo", "bar"]).should be_false
|
||||||
@ability.can?(:read, ["test1", "foo"]).should be_true
|
@ability.can?(:read, ["test1", "foo"]).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should allow nested hash of arrays and match any element" do
|
it "should allow nested hash of arrays and match any element" do
|
||||||
@ability.can :read, Array, :first => { :to_i => 3 }
|
@ability.can :read, Array, :first => { :to_i => 3 }
|
||||||
@ability.can?(:read, [[1, 2, 3]]).should be_true
|
@ability.can?(:read, [[1, 2, 3]]).should be_true
|
||||||
@ability.can?(:read, [[4, 5, 6]]).should be_false
|
@ability.can?(:read, [[4, 5, 6]]).should be_false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return conditions for a given ability" do
|
it "should return conditions for a given ability" do
|
||||||
@ability.can :read, Array, :first => 1, :last => 3
|
@ability.can :read, Array, :first => 1, :last => 3
|
||||||
@ability.conditions(:show, Array).should == {:first => 1, :last => 3}
|
@ability.conditions(:show, Array).should == {:first => 1, :last => 3}
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise an exception when a block is used on condition" do
|
it "should raise an exception when a block is used on condition" do
|
||||||
@ability.can :read, Array do |a|
|
@ability.can :read, Array do |a|
|
||||||
true
|
true
|
||||||
end
|
end
|
||||||
lambda { @ability.conditions(:show, Array) }.should raise_error(CanCan::Error, "Cannot determine ability conditions from block for :show Array")
|
lambda { @ability.conditions(:show, Array) }.should raise_error(CanCan::Error, "Cannot determine ability conditions from block for :show Array")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return an empty hash for conditions when there are no conditions" do
|
it "should return an empty hash for conditions when there are no conditions" do
|
||||||
@ability.can :read, Array
|
@ability.can :read, Array
|
||||||
@ability.conditions(:show, Array).should == {}
|
@ability.conditions(:show, Array).should == {}
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return false when performed on an action which isn't defined" do
|
it "should return false when performed on an action which isn't defined" do
|
||||||
@ability.conditions(:foo, Array).should == false
|
@ability.conditions(:foo, Array).should == false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should has eated cheezburger" do
|
it "should has eated cheezburger" do
|
||||||
lambda {
|
lambda {
|
||||||
@ability.can? :has, :cheezburger
|
@ability.can? :has, :cheezburger
|
||||||
|
|
|
@ -8,18 +8,18 @@ describe CanCan::ActiveRecordAdditions do
|
||||||
@ability = Object.new
|
@ability = Object.new
|
||||||
@ability.extend(CanCan::Ability)
|
@ability.extend(CanCan::Ability)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should call where(:id => nil) when no ability is defined so no records are found" do
|
it "should call where(:id => nil) when no ability is defined so no records are found" do
|
||||||
stub(@model_class).where(:id => nil).stub!.joins(nil) { :no_where }
|
stub(@model_class).where(:id => nil).stub!.joins(nil) { :no_where }
|
||||||
@model_class.accessible_by(@ability, :read).should == :no_where
|
@model_class.accessible_by(@ability, :read).should == :no_where
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should call where with matching ability conditions" do
|
it "should call where with matching ability conditions" do
|
||||||
@ability.can :read, @model_class, :foo => {:bar => 1}
|
@ability.can :read, @model_class, :foo => {:bar => 1}
|
||||||
stub(@model_class).where(:foos => { :bar => 1 }).stub!.joins([:foo]) { :found_records }
|
stub(@model_class).where(:foos => { :bar => 1 }).stub!.joins([:foo]) { :found_records }
|
||||||
@model_class.accessible_by(@ability, :read).should == :found_records
|
@model_class.accessible_by(@ability, :read).should == :found_records
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should default to :read ability and use scoped when where isn't available" do
|
it "should default to :read ability and use scoped when where isn't available" do
|
||||||
@ability.can :read, @model_class, :foo => {:bar => 1}
|
@ability.can :read, @model_class, :foo => {:bar => 1}
|
||||||
stub(@model_class).scoped(:conditions => {:foos => {:bar => 1}}, :joins => [:foo]) { :found_records }
|
stub(@model_class).scoped(:conditions => {:foos => {:bar => 1}}, :joins => [:foo]) { :found_records }
|
||||||
|
|
|
@ -5,7 +5,7 @@ describe CanCan::CanDefinition do
|
||||||
@conditions = {}
|
@conditions = {}
|
||||||
@can = CanCan::CanDefinition.new(true, :read, Integer, @conditions, nil)
|
@can = CanCan::CanDefinition.new(true, :read, Integer, @conditions, nil)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return no association joins if none exist" do
|
it "should return no association joins if none exist" do
|
||||||
@can.association_joins.should be_nil
|
@can.association_joins.should be_nil
|
||||||
end
|
end
|
||||||
|
@ -30,13 +30,13 @@ describe CanCan::CanDefinition do
|
||||||
@conditions[:foo] = {:bar => {1 => 2}}
|
@conditions[:foo] = {:bar => {1 => 2}}
|
||||||
@can.association_joins.should == [{:foo => [:bar]}]
|
@can.association_joins.should == [{:foo => [:bar]}]
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return table names in conditions for association joins" do
|
it "should return table names in conditions for association joins" do
|
||||||
@conditions[:foo] = {:bar => 1}
|
@conditions[:foo] = {:bar => 1}
|
||||||
@conditions[:test] = 1
|
@conditions[:test] = 1
|
||||||
@can.conditions(:tableize => true).should == { :foos => { :bar => 1}, :test => 1 }
|
@can.conditions(:tableize => true).should == { :foos => { :bar => 1}, :test => 1 }
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return no association joins if conditions is nil" do
|
it "should return no association joins if conditions is nil" do
|
||||||
can = CanCan::CanDefinition.new(true, :read, Integer, nil, nil)
|
can = CanCan::CanDefinition.new(true, :read, Integer, nil, nil)
|
||||||
can.association_joins.should be_nil
|
can.association_joins.should be_nil
|
||||||
|
|
|
@ -9,11 +9,11 @@ describe CanCan::ControllerAdditions do
|
||||||
mock(@controller_class).helper_method(:can?, :cannot?)
|
mock(@controller_class).helper_method(:can?, :cannot?)
|
||||||
@controller_class.send(:include, CanCan::ControllerAdditions)
|
@controller_class.send(:include, CanCan::ControllerAdditions)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise ImplementationRemoved when attempting to call 'unauthorized!' on a controller" do
|
it "should raise ImplementationRemoved when attempting to call 'unauthorized!' on a controller" do
|
||||||
lambda { @controller.unauthorized! }.should raise_error(CanCan::ImplementationRemoved)
|
lambda { @controller.unauthorized! }.should raise_error(CanCan::ImplementationRemoved)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise access denied exception if ability us unauthorized to perform a certain action" do
|
it "should raise access denied exception if ability us unauthorized to perform a certain action" do
|
||||||
begin
|
begin
|
||||||
@controller.authorize! :read, :foo, 1, 2, 3, :message => "Access denied!"
|
@controller.authorize! :read, :foo, 1, 2, 3, :message => "Access denied!"
|
||||||
|
@ -25,12 +25,12 @@ describe CanCan::ControllerAdditions do
|
||||||
fail "Expected CanCan::AccessDenied exception to be raised"
|
fail "Expected CanCan::AccessDenied exception to be raised"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not raise access denied exception if ability is authorized to perform an action" do
|
it "should not raise access denied exception if ability is authorized to perform an action" do
|
||||||
@controller.current_ability.can :read, :foo
|
@controller.current_ability.can :read, :foo
|
||||||
lambda { @controller.authorize!(:read, :foo) }.should_not raise_error
|
lambda { @controller.authorize!(:read, :foo) }.should_not raise_error
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise access denied exception with default message if not specified" do
|
it "should raise access denied exception with default message if not specified" do
|
||||||
begin
|
begin
|
||||||
@controller.authorize! :read, :foo
|
@controller.authorize! :read, :foo
|
||||||
|
@ -41,29 +41,29 @@ describe CanCan::ControllerAdditions do
|
||||||
fail "Expected CanCan::AccessDenied exception to be raised"
|
fail "Expected CanCan::AccessDenied exception to be raised"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should have a current_ability method which generates an ability for the current user" do
|
it "should have a current_ability method which generates an ability for the current user" do
|
||||||
@controller.current_ability.should be_kind_of(Ability)
|
@controller.current_ability.should be_kind_of(Ability)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should provide a can? and cannot? methods which go through the current ability" do
|
it "should provide a can? and cannot? methods which go through the current ability" do
|
||||||
@controller.current_ability.should be_kind_of(Ability)
|
@controller.current_ability.should be_kind_of(Ability)
|
||||||
@controller.can?(:foo, :bar).should be_false
|
@controller.can?(:foo, :bar).should be_false
|
||||||
@controller.cannot?(:foo, :bar).should be_true
|
@controller.cannot?(:foo, :bar).should be_true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
|
it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
|
||||||
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
|
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
|
||||||
mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
|
mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
|
||||||
@controller_class.load_and_authorize_resource :foo => :bar
|
@controller_class.load_and_authorize_resource :foo => :bar
|
||||||
end
|
end
|
||||||
|
|
||||||
it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
|
it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
|
||||||
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
|
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
|
||||||
mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
|
mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
|
||||||
@controller_class.authorize_resource :foo => :bar, :except => :show
|
@controller_class.authorize_resource :foo => :bar, :except => :show
|
||||||
end
|
end
|
||||||
|
|
||||||
it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
|
it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
|
||||||
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
|
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
|
||||||
mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
|
mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
|
||||||
|
|
|
@ -4,53 +4,53 @@ describe CanCan::ControllerResource do
|
||||||
before(:each) do
|
before(:each) do
|
||||||
@controller = Object.new
|
@controller = Object.new
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should determine model class by constantizing give name" do
|
it "should determine model class by constantizing give name" do
|
||||||
CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
|
CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should fetch model through model class and assign it to the instance" do
|
it "should fetch model through model class and assign it to the instance" do
|
||||||
stub(Ability).find(123) { :some_ability }
|
stub(Ability).find(123) { :some_ability }
|
||||||
CanCan::ControllerResource.new(@controller, :ability).find(123)
|
CanCan::ControllerResource.new(@controller, :ability).find(123)
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should fetch model through parent and assign it to the instance" do
|
it "should fetch model through parent and assign it to the instance" do
|
||||||
parent = Object.new
|
parent = Object.new
|
||||||
stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
|
stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
|
||||||
CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
|
CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should build model through model class and assign it to the instance" do
|
it "should build model through model class and assign it to the instance" do
|
||||||
stub(Ability).new(123) { :some_ability }
|
stub(Ability).new(123) { :some_ability }
|
||||||
CanCan::ControllerResource.new(@controller, :ability).build(123)
|
CanCan::ControllerResource.new(@controller, :ability).build(123)
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should build model through parent and assign it to the instance" do
|
it "should build model through parent and assign it to the instance" do
|
||||||
parent = Object.new
|
parent = Object.new
|
||||||
stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
|
stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
|
||||||
CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
|
CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not load resource if instance variable is already provided" do
|
it "should not load resource if instance variable is already provided" do
|
||||||
@controller.instance_variable_set(:@ability, :some_ability)
|
@controller.instance_variable_set(:@ability, :some_ability)
|
||||||
CanCan::ControllerResource.new(@controller, :ability).find(123)
|
CanCan::ControllerResource.new(@controller, :ability).find(123)
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should use the model class option if provided" do
|
it "should use the model class option if provided" do
|
||||||
stub(Person).find(123) { :some_resource }
|
stub(Person).find(123) { :some_resource }
|
||||||
CanCan::ControllerResource.new(@controller, :ability, nil, :resource => Person).find(123)
|
CanCan::ControllerResource.new(@controller, :ability, nil, :resource => Person).find(123)
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should convert string to constant for resource" do
|
it "should convert string to constant for resource" do
|
||||||
CanCan::ControllerResource.new(@controller, :ability, nil, :resource => "Person").model_class.should == Person
|
CanCan::ControllerResource.new(@controller, :ability, nil, :resource => "Person").model_class.should == Person
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise an exception when specifying :class option since it is no longer used" do
|
it "should raise an exception when specifying :class option since it is no longer used" do
|
||||||
lambda {
|
lambda {
|
||||||
CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person)
|
CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person)
|
||||||
|
|
|
@ -5,29 +5,29 @@ describe CanCan::AccessDenied do
|
||||||
before(:each) do
|
before(:each) do
|
||||||
@exception = CanCan::AccessDenied.new(nil, :some_action, :some_subject)
|
@exception = CanCan::AccessDenied.new(nil, :some_action, :some_subject)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should have action and subject accessors" do
|
it "should have action and subject accessors" do
|
||||||
@exception.action.should == :some_action
|
@exception.action.should == :some_action
|
||||||
@exception.subject.should == :some_subject
|
@exception.subject.should == :some_subject
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should have a changable default message" do
|
it "should have a changable default message" do
|
||||||
@exception.message.should == "You are not authorized to access this page."
|
@exception.message.should == "You are not authorized to access this page."
|
||||||
@exception.default_message = "Unauthorized!"
|
@exception.default_message = "Unauthorized!"
|
||||||
@exception.message.should == "Unauthorized!"
|
@exception.message.should == "Unauthorized!"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "with only a message" do
|
describe "with only a message" do
|
||||||
before(:each) do
|
before(:each) do
|
||||||
@exception = CanCan::AccessDenied.new("Access denied!")
|
@exception = CanCan::AccessDenied.new("Access denied!")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should have nil action and subject" do
|
it "should have nil action and subject" do
|
||||||
@exception.action.should be_nil
|
@exception.action.should be_nil
|
||||||
@exception.subject.should be_nil
|
@exception.subject.should be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should have passed message" do
|
it "should have passed message" do
|
||||||
@exception.message.should == "Access denied!"
|
@exception.message.should == "Access denied!"
|
||||||
end
|
end
|
||||||
|
|
|
@ -4,101 +4,101 @@ describe CanCan::ResourceAuthorization do
|
||||||
before(:each) do
|
before(:each) do
|
||||||
@controller = Object.new # simple stub for now
|
@controller = Object.new # simple stub for now
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should load the resource into an instance variable if params[:id] is specified" do
|
it "should load the resource into an instance variable if params[:id] is specified" do
|
||||||
stub(Ability).find(123) { :some_resource }
|
stub(Ability).find(123) { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should properly load resource for namespaced controller" do
|
it "should properly load resource for namespaced controller" do
|
||||||
stub(Ability).find(123) { :some_resource }
|
stub(Ability).find(123) { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should properly load resource for namespaced controller when using '::' for namespace" do
|
it "should properly load resource for namespaced controller when using '::' for namespace" do
|
||||||
stub(Ability).find(123) { :some_resource }
|
stub(Ability).find(123) { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "Admin::AbilitiesController", :action => "show", :id => 123)
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "Admin::AbilitiesController", :action => "show", :id => 123)
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should build a new resource with hash if params[:id] is not specified" do
|
it "should build a new resource with hash if params[:id] is not specified" do
|
||||||
stub(Ability).new(:foo => "bar") { :some_resource }
|
stub(Ability).new(:foo => "bar") { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should build a new resource even if attribute hash isn't specified" do
|
it "should build a new resource even if attribute hash isn't specified" do
|
||||||
stub(Ability).new(nil) { :some_resource }
|
stub(Ability).new(nil) { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not build a resource when on index action" do
|
it "should not build a resource when on index action" do
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should be_nil
|
@controller.instance_variable_get(:@ability).should be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should perform authorization using controller action and loaded model" do
|
it "should perform authorization using controller action and loaded model" do
|
||||||
@controller.instance_variable_set(:@ability, :some_resource)
|
@controller.instance_variable_set(:@ability, :some_resource)
|
||||||
stub(@controller).authorize!(:show, :some_resource) { raise CanCan::AccessDenied }
|
stub(@controller).authorize!(:show, :some_resource) { raise CanCan::AccessDenied }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
|
||||||
lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should perform authorization using controller action and non loaded model" do
|
it "should perform authorization using controller action and non loaded model" do
|
||||||
stub(@controller).authorize!(:show, Ability) { raise CanCan::AccessDenied }
|
stub(@controller).authorize!(:show, Ability) { raise CanCan::AccessDenied }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
|
||||||
lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should call load_resource and authorize_resource for load_and_authorize_resource" do
|
it "should call load_resource and authorize_resource for load_and_authorize_resource" do
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
|
||||||
mock(authorization).load_resource
|
mock(authorization).load_resource
|
||||||
mock(authorization).authorize_resource
|
mock(authorization).authorize_resource
|
||||||
authorization.load_and_authorize_resource
|
authorization.load_and_authorize_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not build a resource when on custom collection action" do
|
it "should not build a resource when on custom collection action" do
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
|
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should be_nil
|
@controller.instance_variable_get(:@ability).should be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should build a resource when on custom new action even when params[:id] exists" do
|
it "should build a resource when on custom new action even when params[:id] exists" do
|
||||||
stub(Ability).new(nil) { :some_resource }
|
stub(Ability).new(nil) { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
|
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_resource
|
@controller.instance_variable_get(:@ability).should == :some_resource
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not try to load resource for other action if params[:id] is undefined" do
|
it "should not try to load resource for other action if params[:id] is undefined" do
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
|
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should be_nil
|
@controller.instance_variable_get(:@ability).should be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should load nested resource and fetch other resource through the association" do
|
it "should load nested resource and fetch other resource through the association" do
|
||||||
stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
|
stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
|
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should load nested resource and build resource through a deep association" do
|
it "should load nested resource and build resource through a deep association" do
|
||||||
stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
|
stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
|
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
|
||||||
authorization.load_resource
|
authorization.load_resource
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not load nested resource and build through this if *_id param isn't specified" do
|
it "should not load nested resource and build through this if *_id param isn't specified" do
|
||||||
stub(Person).find(456) { :some_person }
|
stub(Person).find(456) { :some_person }
|
||||||
stub(Ability).new(nil) { :some_ability }
|
stub(Ability).new(nil) { :some_ability }
|
||||||
|
@ -107,7 +107,7 @@ describe CanCan::ResourceAuthorization do
|
||||||
@controller.instance_variable_get(:@person).should == :some_person
|
@controller.instance_variable_get(:@person).should == :some_person
|
||||||
@controller.instance_variable_get(:@ability).should == :some_ability
|
@controller.instance_variable_get(:@ability).should == :some_ability
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should load the model using a custom class" do
|
it "should load the model using a custom class" do
|
||||||
stub(Person).find(123) { :some_resource }
|
stub(Person).find(123) { :some_resource }
|
||||||
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:resource => Person})
|
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:resource => Person})
|
||||||
|
|
|
@ -13,7 +13,7 @@ end
|
||||||
|
|
||||||
class Ability
|
class Ability
|
||||||
include CanCan::Ability
|
include CanCan::Ability
|
||||||
|
|
||||||
def initialize(user)
|
def initialize(user)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user