improving inline documentation

This commit is contained in:
Ryan Bates 2010-05-21 13:41:24 -07:00
parent 7543eedd6a
commit dfd84a10ed
16 changed files with 254 additions and 238 deletions

View File

@ -1,4 +1,4 @@
* Fix issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66 * Fixing issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66
* Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62 * Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62

View File

@ -1,8 +1,8 @@
module CanCan module CanCan
# This module is designed to be included into an Ability class. This will # This module is designed to be included into an Ability class. This will
# provide the "can" methods for defining and checking abilities. # provide the "can" methods for defining and checking abilities.
# #
# class Ability # class Ability
# include CanCan::Ability # include CanCan::Ability
# #
@ -14,179 +14,180 @@ module CanCan
# end # end
# end # end
# end # end
# #
module Ability module Ability
# Use to check the user's permission for a given action and object. # Use to check if the user has permission to perform a given action on an object.
# #
# can? :destroy, @project # can? :destroy, @project
# #
# You can also pass the class instead of an instance (if you don't have one handy). # You can also pass the class instead of an instance (if you don't have one handy).
# #
# can? :create, Project # can? :create, Project
# #
# Any additional arguments will be passed into the "can" block definition. This # Any additional arguments will be passed into the "can" block definition. This
# can be used to pass more information about the user's request for example. # can be used to pass more information about the user's request for example.
# #
# can? :create, Project, request.remote_ip # can? :create, Project, request.remote_ip
# #
# can :create Project do |project, remote_ip| # can :create Project do |project, remote_ip|
# # ... # # ...
# end # end
# #
# Not only can you use the can? method in the controller and view (see ControllerAdditions), # Not only can you use the can? method in the controller and view (see ControllerAdditions),
# but you can also call it directly on an ability instance. # but you can also call it directly on an ability instance.
# #
# ability.can? :destroy, @project # ability.can? :destroy, @project
# #
# This makes testing a user's abilities very easy. # This makes testing a user's abilities very easy.
# #
# def test "user can only destroy projects which he owns" # def test "user can only destroy projects which he owns"
# user = User.new # user = User.new
# ability = Ability.new(user) # ability = Ability.new(user)
# assert ability.can?(:destroy, Project.new(:user => user)) # assert ability.can?(:destroy, Project.new(:user => user))
# assert ability.cannot?(:destroy, Project.new) # assert ability.cannot?(:destroy, Project.new)
# end # end
# #
# Also see the RSpec Matchers to aid in testing.
def can?(action, subject, *extra_args) def can?(action, subject, *extra_args)
raise Error, "Nom nom nom. I eated it." if action == :has && subject == :cheezburger raise Error, "Nom nom nom. I eated it." if action == :has && subject == :cheezburger
can_definition = matching_can_definition(action, subject) can_definition = matching_can_definition(action, subject)
can_definition && can_definition.can?(action, subject, extra_args) can_definition && can_definition.can?(action, subject, extra_args)
end end
# Convenience method which works the same as "can?" but returns the opposite value. # Convenience method which works the same as "can?" but returns the opposite value.
# #
# cannot? :destroy, @project # cannot? :destroy, @project
# #
def cannot?(*args) def cannot?(*args)
!can?(*args) !can?(*args)
end end
# Defines which abilities are allowed using two arguments. The first one is the action # Defines which abilities are allowed using two arguments. The first one is the action
# you're setting the permission for, the second one is the class of object you're setting it on. # you're setting the permission for, the second one is the class of object you're setting it on.
# #
# can :update, Article # can :update, Article
# #
# You can pass an array for either of these parameters to match any one. # You can pass an array for either of these parameters to match any one.
# #
# can [:update, :destroy], [Article, Comment] # can [:update, :destroy], [Article, Comment]
# #
# In this case the user has the ability to update or destroy both articles and comments. # In this case the user has the ability to update or destroy both articles and comments.
# #
# You can pass a hash of conditions as the third argument. # You can pass a hash of conditions as the third argument.
# #
# can :read, Project, :active => true, :user_id => user.id # can :read, Project, :active => true, :user_id => user.id
# #
# Here the user can only see active projects which he owns. See ControllerAdditions#conditions for a way to # Here the user can only see active projects which he owns. See ActiveRecordAdditions#accessible_by
# use this in database queries. # for how to use this in database queries.
# #
# If the conditions hash does not give you enough control over defining abilities, you can use a block to # If the conditions hash does not give you enough control over defining abilities, you can use a block to
# write any Ruby code you want. # write any Ruby code you want.
# #
# can :update, Project do |project| # can :update, Project do |project|
# project && project.groups.include?(user.group) # project && project.groups.include?(user.group)
# end # end
# #
# If the block returns true then the user has that :update ability for that project, otherwise he # If the block returns true then the user has that :update ability for that project, otherwise he
# will be denied access. It's possible for the passed in model to be nil if one isn't specified, # will be denied access. It's possible for the passed in model to be nil if one isn't specified,
# so be sure to take that into consideration. # so be sure to take that into consideration.
# #
# The downside to using a block is that it cannot be used to generate conditions for database queries. # The downside to using a block is that it cannot be used to generate conditions for database queries.
# #
# You can pass :all to reference every type of object. In this case the object type will be passed # You can pass :all to reference every type of object. In this case the object type will be passed
# into the block as well (just in case object is nil). # into the block as well (just in case object is nil).
# #
# can :read, :all do |object_class, object| # can :read, :all do |object_class, object|
# object_class != Order # object_class != Order
# end # end
# #
# Here the user has permission to read all objects except orders. # Here the user has permission to read all objects except orders.
# #
# You can also pass :manage as the action which will match any action. In this case the action is # You can also pass :manage as the action which will match any action. In this case the action is
# passed to the block. # passed to the block.
# #
# can :manage, Comment do |action, comment| # can :manage, Comment do |action, comment|
# action != :destroy # action != :destroy
# end # end
# #
# You can pass custom objects into this "can" method, this is usually done through a symbol # You can pass custom objects into this "can" method, this is usually done through a symbol
# and is useful if a class isn't available to define permissions on. # and is useful if a class isn't available to define permissions on.
# #
# can :read, :stats # can :read, :stats
# can? :read, :stats # => true # can? :read, :stats # => true
# #
def can(action, subject, conditions = nil, &block) def can(action, subject, conditions = nil, &block)
can_definitions << CanDefinition.new(true, action, subject, conditions, block) can_definitions << CanDefinition.new(true, action, subject, conditions, block)
end end
# Define an ability which cannot be done. Accepts the same arguments as "can". # Defines an ability which cannot be done. Accepts the same arguments as "can".
# #
# can :read, :all # can :read, :all
# cannot :read, Comment # cannot :read, Comment
# #
# A block can be passed just like "can", however if the logic is complex it is recommended # A block can be passed just like "can", however if the logic is complex it is recommended
# to use the "can" method. # to use the "can" method.
# #
# cannot :read, Product do |product| # cannot :read, Product do |product|
# product.invisible? # product.invisible?
# end # end
# #
def cannot(action, subject, conditions = nil, &block) def cannot(action, subject, conditions = nil, &block)
can_definitions << CanDefinition.new(false, action, subject, conditions, block) can_definitions << CanDefinition.new(false, action, subject, conditions, block)
end end
# Alias one or more actions into another one. # Alias one or more actions into another one.
# #
# alias_action :update, :destroy, :to => :modify # alias_action :update, :destroy, :to => :modify
# can :modify, Comment # can :modify, Comment
# #
# Then :modify permission will apply to both :update and :destroy requests. # Then :modify permission will apply to both :update and :destroy requests.
# #
# can? :update, Comment # => true # can? :update, Comment # => true
# can? :destroy, Comment # => true # can? :destroy, Comment # => true
# #
# This only works in one direction. Passing the aliased action into the "can?" call # This only works in one direction. Passing the aliased action into the "can?" call
# will not work because aliases are meant to generate more generic actions. # will not work because aliases are meant to generate more generic actions.
# #
# alias_action :update, :destroy, :to => :modify # alias_action :update, :destroy, :to => :modify
# can :update, Comment # can :update, Comment
# can? :modify, Comment # => false # can? :modify, Comment # => false
# #
# Unless that exact alias is used. # Unless that exact alias is used.
# #
# can :modify, Comment # can :modify, Comment
# can? :modify, Comment # => true # can? :modify, Comment # => true
# #
# The following aliases are added by default for conveniently mapping common controller actions. # The following aliases are added by default for conveniently mapping common controller actions.
# #
# alias_action :index, :show, :to => :read # alias_action :index, :show, :to => :read
# alias_action :new, :to => :create # alias_action :new, :to => :create
# alias_action :edit, :to => :update # alias_action :edit, :to => :update
# #
# This way one can use params[:action] in the controller to determine the permission. # This way one can use params[:action] in the controller to determine the permission.
def alias_action(*args) def alias_action(*args)
target = args.pop[:to] target = args.pop[:to]
aliased_actions[target] ||= [] aliased_actions[target] ||= []
aliased_actions[target] += args aliased_actions[target] += args
end end
# Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key. # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
def aliased_actions def aliased_actions
@aliased_actions ||= default_alias_actions @aliased_actions ||= default_alias_actions
end end
# Removes previously aliased actions including the defaults. # Removes previously aliased actions including the defaults.
def clear_aliased_actions def clear_aliased_actions
@aliased_actions = {} @aliased_actions = {}
end end
# Returns a hash of conditions which match the given ability. This is useful if you need to generate a database # Returns a hash of conditions which match the given ability. This is useful if you need to generate a database
# query based on the current ability. # query based on the current ability.
# #
# can :read, Article, :visible => true # can :read, Article, :visible => true
# conditions :read, Article # returns { :visible => true } # conditions :read, Article # returns { :visible => true }
# #
# Normally you will not call this method directly, but instead go through ActiveRecordAdditions#accessible_by method. # Normally you will not call this method directly, but instead go through ActiveRecordAdditions#accessible_by method.
# #
# If the ability is not defined then false is returned so be sure to take that into consideration. # If the ability is not defined then false is returned so be sure to take that into consideration.
# If the ability is defined using a block then this will raise an exception since a hash of conditions cannot be # If the ability is defined using a block then this will raise an exception since a hash of conditions cannot be
# determined from that. # determined from that.
@ -199,7 +200,7 @@ module CanCan
false false
end end
end end
# Returns the associations used in conditions. This is usually used in the :joins option for a search. # Returns the associations used in conditions. This is usually used in the :joins option for a search.
# See ActiveRecordAdditions#accessible_by for use in Active Record. # See ActiveRecordAdditions#accessible_by for use in Active Record.
def association_joins(action, subject) def association_joins(action, subject)
@ -211,18 +212,18 @@ module CanCan
end end
private private
def can_definitions def can_definitions
@can_definitions ||= [] @can_definitions ||= []
end end
def matching_can_definition(action, subject) def matching_can_definition(action, subject)
can_definitions.reverse.detect do |can_definition| can_definitions.reverse.detect do |can_definition|
can_definition.expand_actions(aliased_actions) can_definition.expand_actions(aliased_actions)
can_definition.matches? action, subject can_definition.matches? action, subject
end end
end end
def default_alias_actions def default_alias_actions
{ {
:read => [:index, :show], :read => [:index, :show],

View File

@ -1,5 +1,5 @@
module CanCan module CanCan
# This module is automatically included into all Active Record. # This module is automatically included into all Active Record models.
module ActiveRecordAdditions module ActiveRecordAdditions
module ClassMethods module ClassMethods
# Returns a scope which fetches only the records that the passed ability # Returns a scope which fetches only the records that the passed ability
@ -7,16 +7,16 @@ module CanCan
# is usually called from a controller and passed the +current_ability+. # is usually called from a controller and passed the +current_ability+.
# #
# @articles = Article.accessible_by(current_ability) # @articles = Article.accessible_by(current_ability)
# #
# Here only the articles which the user is able to read will be returned. # Here only the articles which the user is able to read will be returned.
# If the user does not have permission to read any articles then an empty # If the user does not have permission to read any articles then an empty
# result is returned. Since this is a scope it can be combined with any # result is returned. Since this is a scope it can be combined with any
# other scopes or pagination. # other scopes or pagination.
# #
# An alternative action can optionally be passed as a second argument. # An alternative action can optionally be passed as a second argument.
# #
# @articles = Article.accessible_by(current_ability, :update) # @articles = Article.accessible_by(current_ability, :update)
# #
# Here only the articles which the user can update are returned. This # Here only the articles which the user can update are returned. This
# internally uses Ability#conditions method, see that for more information. # internally uses Ability#conditions method, see that for more information.
def accessible_by(ability, action = :read) def accessible_by(ability, action = :read)
@ -29,7 +29,7 @@ module CanCan
end end
end end
end end
def self.included(base) def self.included(base)
base.extend ClassMethods base.extend ClassMethods
end end

View File

@ -1,9 +1,15 @@
module CanCan module CanCan
# This class is used internally and should only be called through Ability. # This class is used internally and should only be called through Ability.
# it holds the information about a "can" call made on Ability and provides
# helpful methods to determine permission checking and conditions hash generation.
class CanDefinition # :nodoc: class CanDefinition # :nodoc:
include ActiveSupport::Inflector include ActiveSupport::Inflector
attr_reader :block attr_reader :block
# The first argument when initializing is the base_behavior which is a true/false
# value. True for "can" and false for "cannot". The next two arguments are the action
# and subject respectively (such as :read, @project). The third argument is a hash
# of conditions and the last one is the block passed to the "can" call.
def initialize(base_behavior, action, subject, conditions, block) def initialize(base_behavior, action, subject, conditions, block)
@base_behavior = base_behavior @base_behavior = base_behavior
@actions = [action].flatten @actions = [action].flatten
@ -11,27 +17,31 @@ module CanCan
@conditions = conditions || {} @conditions = conditions || {}
@block = block @block = block
end end
# Accepts a hash of aliased actions and returns an array of actions which match.
# This should be called before "matches?" and other checking methods since they
# rely on the actions to be expanded.
def expand_actions(aliased_actions) def expand_actions(aliased_actions)
@expanded_actions = @actions.map do |action| @expanded_actions = @actions.map do |action|
aliased_actions[action] ? [action, *aliased_actions[action]] : action aliased_actions[action] ? [action, *aliased_actions[action]] : action
end.flatten end.flatten
end end
def matches?(action, subject) def matches?(action, subject)
matches_action?(action) && matches_subject?(subject) matches_action?(action) && matches_subject?(subject)
end end
def can?(action, subject, extra_args) def can?(action, subject, extra_args)
result = can_without_base_behavior?(action, subject, extra_args) result = can_without_base_behavior?(action, subject, extra_args)
@base_behavior ? result : !result @base_behavior ? result : !result
end end
# Returns a hash of conditions. If the ":tableize => true" option is passed
# it will pluralize the association conditions to match the table name.
def conditions(options = {}) def conditions(options = {})
if options[:tableize] and @conditions.kind_of? Hash if options[:tableize] && @conditions.kind_of?(Hash)
@conditions.inject({}) do |tableized_conditions, (name, value)| @conditions.inject({}) do |tableized_conditions, (name, value)|
name = tableize(name).to_sym if value.kind_of? Hash name = tableize(name).to_sym if value.kind_of? Hash
tableized_conditions[name] = value tableized_conditions[name] = value
tableized_conditions tableized_conditions
end end
@ -54,17 +64,17 @@ module CanCan
end end
joins unless joins.empty? joins unless joins.empty?
end end
private private
def matches_action?(action) def matches_action?(action)
@expanded_actions.include?(:manage) || @expanded_actions.include?(action) @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
end end
def matches_subject?(subject) def matches_subject?(subject)
@subjects.include?(:all) || @subjects.include?(subject) || @subjects.any? { |sub| sub.kind_of?(Class) && subject.kind_of?(sub) } @subjects.include?(:all) || @subjects.include?(subject) || @subjects.any? { |sub| sub.kind_of?(Class) && subject.kind_of?(sub) }
end end
def can_without_base_behavior?(action, subject, extra_args) def can_without_base_behavior?(action, subject, extra_args)
if @block if @block
call_block(action, subject, extra_args) call_block(action, subject, extra_args)
@ -74,7 +84,7 @@ module CanCan
true true
end end
end end
def matches_conditions?(subject, conditions = @conditions) def matches_conditions?(subject, conditions = @conditions)
conditions.all? do |name, value| conditions.all? do |name, value|
attribute = subject.send(name) attribute = subject.send(name)
@ -91,7 +101,7 @@ module CanCan
end end
end end
end end
def call_block(action, subject, extra_args) def call_block(action, subject, extra_args)
block_args = [] block_args = []
block_args << action if @expanded_actions.include?(:manage) block_args << action if @expanded_actions.include?(:manage)

View File

@ -1,35 +1,35 @@
module CanCan module CanCan
# This module is automatically included into all controllers. # This module is automatically included into all controllers.
# It also makes the "can?" and "cannot?" methods available to all views. # It also makes the "can?" and "cannot?" methods available to all views.
module ControllerAdditions module ControllerAdditions
module ClassMethods module ClassMethods
# Sets up a before filter which loads and authorizes the current resource. This performs both # Sets up a before filter which loads and authorizes the current resource. This performs both
# load_resource and authorize_resource and accepts the same arguments. See those methods for details. # load_resource and authorize_resource and accepts the same arguments. See those methods for details.
# #
# class BooksController < ApplicationController # class BooksController < ApplicationController
# load_and_authorize_resource # load_and_authorize_resource
# end # end
# #
def load_and_authorize_resource(options = {}) def load_and_authorize_resource(options = {})
ResourceAuthorization.add_before_filter(self, :load_and_authorize_resource, options) ResourceAuthorization.add_before_filter(self, :load_and_authorize_resource, options)
end end
# Sets up a before filter which loads the appropriate model resource into an instance variable. # Sets up a before filter which loads the appropriate model resource into an instance variable.
# For example, given an ArticlesController it will load the current article into the @article # For example, given an ArticlesController it will load the current article into the @article
# instance variable. It does this by either calling Article.find(params[:id]) or # instance variable. It does this by either calling Article.find(params[:id]) or
# Article.new(params[:article]) depending upon the action. It does nothing for the "index" # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
# action. # action.
# #
# Call this method directly on the controller class. # Call this method directly on the controller class.
# #
# class BooksController < ApplicationController # class BooksController < ApplicationController
# load_resource # load_resource
# end # end
# #
# A resource is not loaded if the instance variable is already set. This makes it easy to override # A resource is not loaded if the instance variable is already set. This makes it easy to override
# the behavior through a before_filter on certain actions. # the behavior through a before_filter on certain actions.
# #
# class BooksController < ApplicationController # class BooksController < ApplicationController
# before_filter :find_book_by_permalink, :only => :show # before_filter :find_book_by_permalink, :only => :show
# load_resource # load_resource
@ -40,107 +40,107 @@ module CanCan
# @book = Book.find_by_permalink!(params[:id) # @book = Book.find_by_permalink!(params[:id)
# end # end
# end # end
# #
# See load_and_authorize_resource to automatically authorize the resource too. # See load_and_authorize_resource to automatically authorize the resource too.
# #
# Options: # Options:
# [:+only+] # [:+only+]
# Only applies before filter to given actions. # Only applies before filter to given actions.
# #
# [:+except+] # [:+except+]
# Does not apply before filter to given actions. # Does not apply before filter to given actions.
# #
# [:+nested+] # [:+nested+]
# Specify which resource this is nested under. # Specify which resource this is nested under.
# #
# load_resource :nested => :author # load_resource :nested => :author
# #
# Deep nesting can be defined in an array. # Deep nesting can be defined in an array.
# #
# load_resource :nested => [:publisher, :author] # load_resource :nested => [:publisher, :author]
# #
# [:+resource+] # [:+resource+]
# The class to use for the model (string or constant). # The class to use for the model (string or constant).
# #
# [:+collection+] # [:+collection+]
# Specify which actions are resource collection actions in addition to :+index+. This # Specify which actions are resource collection actions in addition to :+index+. This
# is usually not necessary because it will try to guess depending on if an :+id+ # is usually not necessary because it will try to guess depending on if an :+id+
# is present in +params+. # is present in +params+.
# #
# load_resource :collection => [:sort, :list] # load_resource :collection => [:sort, :list]
# #
# [:+new+] # [:+new+]
# Specify which actions are new resource actions in addition to :+new+ and :+create+. # Specify which actions are new resource actions in addition to :+new+ and :+create+.
# Pass an action name into here if you would like to build a new resource instead of # Pass an action name into here if you would like to build a new resource instead of
# fetch one. # fetch one.
# #
# load_resource :new => :build # load_resource :new => :build
# #
def load_resource(options = {}) def load_resource(options = {})
ResourceAuthorization.add_before_filter(self, :load_resource, options) ResourceAuthorization.add_before_filter(self, :load_resource, options)
end end
# Sets up a before filter which authorizes the current resource using the instance variable. # Sets up a before filter which authorizes the current resource using the instance variable.
# For example, if you have an ArticlesController it will check the @article instance variable # For example, if you have an ArticlesController it will check the @article instance variable
# and ensure the user can perform the current action on it. Under the hood it is doing # and ensure the user can perform the current action on it. Under the hood it is doing
# something like the following. # something like the following.
# #
# authorize!(params[:action].to_sym, @article || Article) # authorize!(params[:action].to_sym, @article || Article)
# #
# Call this method directly on the controller class. # Call this method directly on the controller class.
# #
# class BooksController < ApplicationController # class BooksController < ApplicationController
# authorize_resource # authorize_resource
# end # end
# #
# See load_and_authorize_resource to automatically load the resource too. # See load_and_authorize_resource to automatically load the resource too.
# #
# Options: # Options:
# [:+only+] # [:+only+]
# Only applies before filter to given actions. # Only applies before filter to given actions.
# #
# [:+except+] # [:+except+]
# Does not apply before filter to given actions. # Does not apply before filter to given actions.
# #
# [:+resource+] # [:+resource+]
# The class to use for the model (string or constant). Alternatively pass a symbol # The class to use for the model (string or constant). Alternatively pass a symbol
# to represent a resource which does not have a class. # to represent a resource which does not have a class.
# #
def authorize_resource(options = {}) def authorize_resource(options = {})
ResourceAuthorization.add_before_filter(self, :authorize_resource, options) ResourceAuthorization.add_before_filter(self, :authorize_resource, options)
end end
end end
def self.included(base) def self.included(base)
base.extend ClassMethods base.extend ClassMethods
base.helper_method :can?, :cannot? base.helper_method :can?, :cannot?
end end
# Raises a CanCan::AccessDenied exception if the current_ability cannot # Raises a CanCan::AccessDenied exception if the current_ability cannot
# perform the given action. This is usually called in a controller action or # perform the given action. This is usually called in a controller action or
# before filter to perform the authorization. # before filter to perform the authorization.
# #
# def show # def show
# @article = Article.find(params[:id]) # @article = Article.find(params[:id])
# authorize! :read, @article # authorize! :read, @article
# end # end
# #
# A :message option can be passed to specify a different message. # A :message option can be passed to specify a different message.
# #
# authorize! :read, @article, :message => "Not authorized to read #{@article.name}" # authorize! :read, @article, :message => "Not authorized to read #{@article.name}"
# #
# You can rescue from the exception in the controller to customize how unauthorized # You can rescue from the exception in the controller to customize how unauthorized
# access is displayed to the user. # access is displayed to the user.
# #
# class ApplicationController < ActionController::Base # class ApplicationController < ActionController::Base
# rescue_from CanCan::AccessDenied do |exception| # rescue_from CanCan::AccessDenied do |exception|
# flash[:error] = exception.message # flash[:error] = exception.message
# redirect_to root_url # redirect_to root_url
# end # end
# end # end
# #
# See the CanCan::AccessDenied exception for more details on working with the exception. # See the CanCan::AccessDenied exception for more details on working with the exception.
# #
# See the load_and_authorize_resource method to automatically add the authorize! behavior # See the load_and_authorize_resource method to automatically add the authorize! behavior
# to the default RESTful actions. # to the default RESTful actions.
def authorize!(action, subject, *args) def authorize!(action, subject, *args)
@ -150,46 +150,46 @@ module CanCan
end end
raise AccessDenied.new(message, action, subject) if cannot?(action, subject, *args) raise AccessDenied.new(message, action, subject) if cannot?(action, subject, *args)
end end
def unauthorized!(message = nil) def unauthorized!(message = nil)
raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead." raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
end end
# Creates and returns the current user's ability and caches it. If you # Creates and returns the current user's ability and caches it. If you
# want to override how the Ability is defined then this is the place. # want to override how the Ability is defined then this is the place.
# Just define the method in the controller to change behavior. # Just define the method in the controller to change behavior.
# #
# def current_ability # def current_ability
# # instead of Ability.new(current_user) # # instead of Ability.new(current_user)
# @current_ability ||= UserAbility.new(current_account) # @current_ability ||= UserAbility.new(current_account)
# end # end
# #
# Notice it is important to cache the ability object so it is not # Notice it is important to cache the ability object so it is not
# recreated every time. # recreated every time.
def current_ability def current_ability
@current_ability ||= ::Ability.new(current_user) @current_ability ||= ::Ability.new(current_user)
end end
# Use in the controller or view to check the user's permission for a given action # Use in the controller or view to check the user's permission for a given action
# and object. # and object.
# #
# can? :destroy, @project # can? :destroy, @project
# #
# You can also pass the class instead of an instance (if you don't have one handy). # You can also pass the class instead of an instance (if you don't have one handy).
# #
# <% if can? :create, Project %> # <% if can? :create, Project %>
# <%= link_to "New Project", new_project_path %> # <%= link_to "New Project", new_project_path %>
# <% end %> # <% end %>
# #
# This simply calls "can?" on the current_ability. See Ability#can?. # This simply calls "can?" on the current_ability. See Ability#can?.
def can?(*args) def can?(*args)
current_ability.can?(*args) current_ability.can?(*args)
end end
# Convenience method which works the same as "can?" but returns the opposite value. # Convenience method which works the same as "can?" but returns the opposite value.
# #
# cannot? :destroy, @project # cannot? :destroy, @project
# #
def cannot?(*args) def cannot?(*args)
current_ability.cannot?(*args) current_ability.cannot?(*args)
end end

View File

@ -1,5 +1,7 @@
module CanCan module CanCan
# Used internally to load and authorize a given controller resource. # Used internally to load and authorize a given controller resource.
# This manages finding or building an instance of the resource. If a
# parent is given it will go through the association.
class ControllerResource # :nodoc: class ControllerResource # :nodoc:
def initialize(controller, name, parent = nil, options = {}) def initialize(controller, name, parent = nil, options = {})
raise ImplementationRemoved, "The :class option has been renamed to :resource for specifying the class in CanCan." if options.has_key? :class raise ImplementationRemoved, "The :class option has been renamed to :resource for specifying the class in CanCan." if options.has_key? :class
@ -9,6 +11,9 @@ module CanCan
@options = options @options = options
end end
# Returns the class used for this resource. This can be overriden by the :resource option.
# Sometimes one will use a symbol as the resource if a class does not exist for it. In that
# case "find" and "build" should not be called on it.
def model_class def model_class
resource_class = @options[:resource] resource_class = @options[:resource]
if resource_class.nil? if resource_class.nil?
@ -16,7 +21,7 @@ module CanCan
elsif resource_class.kind_of? String elsif resource_class.kind_of? String
resource_class.constantize resource_class.constantize
else else
resource_class # likely a symbol resource_class # could be a symbol
end end
end end
@ -24,12 +29,10 @@ module CanCan
self.model_instance ||= base.find(id) self.model_instance ||= base.find(id)
end end
# Build a new instance of this resource. If it is a class we just call "new" otherwise
# it's an associaiton and "build" is used.
def build(attributes) def build(attributes)
if base.kind_of? Class self.model_instance ||= (base.kind_of?(Class) ? base.new(attributes) : base.build(attributes))
self.model_instance ||= base.new(attributes)
else
self.model_instance ||= base.build(attributes)
end
end end
def model_instance def model_instance
@ -42,6 +45,8 @@ module CanCan
private private
# The object that methods (such as "find", "new" or "build") are called on.
# If there is a parent it will be the association, otherwise it will be the model's class.
def base def base
@parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class @parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
end end

View File

@ -1,41 +1,41 @@
module CanCan module CanCan
# A general CanCan exception # A general CanCan exception
class Error < StandardError; end class Error < StandardError; end
# Raised when removed code is called, an alternative solution is provided in message. # Raised when removed code is called, an alternative solution is provided in message.
class ImplementationRemoved < Error; end class ImplementationRemoved < Error; end
# This error is raised when a user isn't allowed to access a given controller action. # This error is raised when a user isn't allowed to access a given controller action.
# This usually happens within a call to ControllerAdditions#authorize! but can be # This usually happens within a call to ControllerAdditions#authorize! but can be
# raised manually. # raised manually.
# #
# raise CanCan::AccessDenied.new("Not authorized!", :read, Article) # raise CanCan::AccessDenied.new("Not authorized!", :read, Article)
# #
# The passed message, action, and subject are optional and can later be retrieved when # The passed message, action, and subject are optional and can later be retrieved when
# rescuing from the exception. # rescuing from the exception.
# #
# exception.message # => "Not authorized!" # exception.message # => "Not authorized!"
# exception.action # => :read # exception.action # => :read
# exception.subject # => Article # exception.subject # => Article
# #
# If the message is not specified (or is nil) it will default to "You are anot authorized # If the message is not specified (or is nil) it will default to "You are not authorized
# to access this page." This default can be overridden by setting default_message. # to access this page." This default can be overridden by setting default_message.
# #
# exception.default_message = "Default error message" # exception.default_message = "Default error message"
# exception.message # => "Default error message" # exception.message # => "Default error message"
# #
# See ControllerAdditions#authorized! for more information on rescuing from this exception. # See ControllerAdditions#authorized! for more information on rescuing from this exception.
class AccessDenied < Error class AccessDenied < Error
attr_reader :action, :subject attr_reader :action, :subject
attr_writer :default_message attr_writer :default_message
def initialize(message = nil, action = nil, subject = nil) def initialize(message = nil, action = nil, subject = nil)
@message = message @message = message
@action = action @action = action
@subject = subject @subject = subject
@default_message = "You are not authorized to access this page." @default_message = "You are not authorized to access this page."
end end
def to_s def to_s
@message || @default_message @message || @default_message
end end

View File

@ -7,18 +7,18 @@ module CanCan
ResourceAuthorization.new(controller, controller.params, options.except(:only, :except)).send(method) ResourceAuthorization.new(controller, controller.params, options.except(:only, :except)).send(method)
end end
end end
def initialize(controller, params, options = {}) def initialize(controller, params, options = {})
@controller = controller @controller = controller
@params = params @params = params
@options = options @options = options
end end
def load_and_authorize_resource def load_and_authorize_resource
load_resource load_resource
authorize_resource authorize_resource
end end
def load_resource def load_resource
unless collection_actions.include? @params[:action].to_sym unless collection_actions.include? @params[:action].to_sym
if new_actions.include? @params[:action].to_sym if new_actions.include? @params[:action].to_sym
@ -28,17 +28,17 @@ module CanCan
end end
end end
end end
def authorize_resource def authorize_resource
@controller.authorize!(@params[:action].to_sym, resource.model_instance || resource.model_class) @controller.authorize!(@params[:action].to_sym, resource.model_instance || resource.model_class)
end end
private private
def resource def resource
@resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options) @resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
end end
def parent_resource def parent_resource
parent = nil parent = nil
[@options[:nested]].flatten.compact.each do |name| [@options[:nested]].flatten.compact.each do |name|
@ -52,15 +52,15 @@ module CanCan
end end
parent parent
end end
def model_name def model_name
@params[:controller].sub("Controller", "").underscore.split('/').last.singularize @params[:controller].sub("Controller", "").underscore.split('/').last.singularize
end end
def collection_actions def collection_actions
[:index] + [@options[:collection]].flatten [:index] + [@options[:collection]].flatten
end end
def new_actions def new_actions
[:new, :create] + [@options[:new]].flatten [:new, :create] + [@options[:new]].flatten
end end

View File

@ -5,17 +5,17 @@ describe CanCan::Ability do
@ability = Object.new @ability = Object.new
@ability.extend(CanCan::Ability) @ability.extend(CanCan::Ability)
end end
it "should be able to :read anything" do it "should be able to :read anything" do
@ability.can :read, :all @ability.can :read, :all
@ability.can?(:read, String).should be_true @ability.can?(:read, String).should be_true
@ability.can?(:read, 123).should be_true @ability.can?(:read, 123).should be_true
end end
it "should not have permission to do something it doesn't know about" do it "should not have permission to do something it doesn't know about" do
@ability.can?(:foodfight, String).should be_false @ability.can?(:foodfight, String).should be_false
end end
it "should return what block returns on a can call" do it "should return what block returns on a can call" do
@ability.can :read, :all @ability.can :read, :all
@ability.can :read, Symbol do |sym| @ability.can :read, Symbol do |sym|
@ -24,21 +24,21 @@ describe CanCan::Ability do
@ability.can?(:read, Symbol).should be_nil @ability.can?(:read, Symbol).should be_nil
@ability.can?(:read, :some_symbol).should == :some_symbol @ability.can?(:read, :some_symbol).should == :some_symbol
end end
it "should pass class with object if :all objects are accepted" do it "should pass class with object if :all objects are accepted" do
@ability.can :preview, :all do |object_class, object| @ability.can :preview, :all do |object_class, object|
[object_class, object] [object_class, object]
end end
@ability.can?(:preview, 123).should == [Fixnum, 123] @ability.can?(:preview, 123).should == [Fixnum, 123]
end end
it "should pass class with no object if :all objects are accepted and class is passed directly" do it "should pass class with no object if :all objects are accepted and class is passed directly" do
@ability.can :preview, :all do |object_class, object| @ability.can :preview, :all do |object_class, object|
[object_class, object] [object_class, object]
end end
@ability.can?(:preview, Hash).should == [Hash, nil] @ability.can?(:preview, Hash).should == [Hash, nil]
end end
it "should pass action and object for global manage actions" do it "should pass action and object for global manage actions" do
@ability.can :manage, Array do |action, object| @ability.can :manage, Array do |action, object|
[action, object] [action, object]
@ -46,14 +46,14 @@ describe CanCan::Ability do
@ability.can?(:stuff, [1, 2]).should == [:stuff, [1, 2]] @ability.can?(:stuff, [1, 2]).should == [:stuff, [1, 2]]
@ability.can?(:stuff, Array).should == [:stuff, nil] @ability.can?(:stuff, Array).should == [:stuff, nil]
end end
it "should alias update or destroy actions to modify action" do it "should alias update or destroy actions to modify action" do
@ability.alias_action :update, :destroy, :to => :modify @ability.alias_action :update, :destroy, :to => :modify
@ability.can(:modify, :all) { :modify_called } @ability.can(:modify, :all) { :modify_called }
@ability.can?(:update, 123).should == :modify_called @ability.can?(:update, 123).should == :modify_called
@ability.can?(:destroy, 123).should == :modify_called @ability.can?(:destroy, 123).should == :modify_called
end end
it "should return block result for action, object_class, and object for any action" do it "should return block result for action, object_class, and object for any action" do
@ability.can :manage, :all do |action, object_class, object| @ability.can :manage, :all do |action, object_class, object|
[action, object_class, object] [action, object_class, object]
@ -61,56 +61,56 @@ describe CanCan::Ability do
@ability.can?(:foo, 123).should == [:foo, Fixnum, 123] @ability.can?(:foo, 123).should == [:foo, Fixnum, 123]
@ability.can?(:bar, Fixnum).should == [:bar, Fixnum, nil] @ability.can?(:bar, Fixnum).should == [:bar, Fixnum, nil]
end end
it "should automatically alias index and show into read calls" do it "should automatically alias index and show into read calls" do
@ability.can :read, :all @ability.can :read, :all
@ability.can?(:index, 123).should be_true @ability.can?(:index, 123).should be_true
@ability.can?(:show, 123).should be_true @ability.can?(:show, 123).should be_true
end end
it "should automatically alias new and edit into create and update respectively" do it "should automatically alias new and edit into create and update respectively" do
@ability.can(:create, :all) { :create_called } @ability.can(:create, :all) { :create_called }
@ability.can(:update, :all) { :update_called } @ability.can(:update, :all) { :update_called }
@ability.can?(:new, 123).should == :create_called @ability.can?(:new, 123).should == :create_called
@ability.can?(:edit, 123).should == :update_called @ability.can?(:edit, 123).should == :update_called
end end
it "should not respond to prepare (now using initialize)" do it "should not respond to prepare (now using initialize)" do
@ability.should_not respond_to(:prepare) @ability.should_not respond_to(:prepare)
end end
it "should offer cannot? method which is simply invert of can?" do it "should offer cannot? method which is simply invert of can?" do
@ability.cannot?(:tie, String).should be_true @ability.cannot?(:tie, String).should be_true
end end
it "should be able to specify multiple actions and match any" do it "should be able to specify multiple actions and match any" do
@ability.can [:read, :update], :all @ability.can [:read, :update], :all
@ability.can?(:read, 123).should be_true @ability.can?(:read, 123).should be_true
@ability.can?(:update, 123).should be_true @ability.can?(:update, 123).should be_true
@ability.can?(:count, 123).should be_false @ability.can?(:count, 123).should be_false
end end
it "should be able to specify multiple classes and match any" do it "should be able to specify multiple classes and match any" do
@ability.can :update, [String, Array] @ability.can :update, [String, Array]
@ability.can?(:update, "foo").should be_true @ability.can?(:update, "foo").should be_true
@ability.can?(:update, []).should be_true @ability.can?(:update, []).should be_true
@ability.can?(:update, 123).should be_false @ability.can?(:update, 123).should be_false
end end
it "should support custom objects in the can definition" do it "should support custom objects in the can definition" do
@ability.can :read, :stats @ability.can :read, :stats
@ability.can?(:read, :stats).should be_true @ability.can?(:read, :stats).should be_true
@ability.can?(:update, :stats).should be_false @ability.can?(:update, :stats).should be_false
@ability.can?(:read, :nonstats).should be_false @ability.can?(:read, :nonstats).should be_false
end end
it "should support 'cannot' method to define what user cannot do" do it "should support 'cannot' method to define what user cannot do" do
@ability.can :read, :all @ability.can :read, :all
@ability.cannot :read, Integer @ability.cannot :read, Integer
@ability.can?(:read, "foo").should be_true @ability.can?(:read, "foo").should be_true
@ability.can?(:read, 123).should be_false @ability.can?(:read, 123).should be_false
end end
it "should support block on 'cannot' method" do it "should support block on 'cannot' method" do
@ability.can :read, :all @ability.can :read, :all
@ability.cannot :read, Integer do |int| @ability.cannot :read, Integer do |int|
@ -120,19 +120,19 @@ describe CanCan::Ability do
@ability.can?(:read, 3).should be_true @ability.can?(:read, 3).should be_true
@ability.can?(:read, 123).should be_false @ability.can?(:read, 123).should be_false
end end
it "should append aliased actions" do it "should append aliased actions" do
@ability.alias_action :update, :to => :modify @ability.alias_action :update, :to => :modify
@ability.alias_action :destroy, :to => :modify @ability.alias_action :destroy, :to => :modify
@ability.aliased_actions[:modify].should == [:update, :destroy] @ability.aliased_actions[:modify].should == [:update, :destroy]
end end
it "should clear aliased actions" do it "should clear aliased actions" do
@ability.alias_action :update, :to => :modify @ability.alias_action :update, :to => :modify
@ability.clear_aliased_actions @ability.clear_aliased_actions
@ability.aliased_actions[:modify].should be_nil @ability.aliased_actions[:modify].should be_nil
end end
it "should pass additional arguments to block from can?" do it "should pass additional arguments to block from can?" do
@ability.can :read, Integer do |int, x| @ability.can :read, Integer do |int, x|
int > x int > x
@ -140,61 +140,61 @@ describe CanCan::Ability do
@ability.can?(:read, 2, 1).should be_true @ability.can?(:read, 2, 1).should be_true
@ability.can?(:read, 2, 3).should be_false @ability.can?(:read, 2, 3).should be_false
end end
it "should use conditions as third parameter and determine abilities from it" do it "should use conditions as third parameter and determine abilities from it" do
@ability.can :read, Array, :first => 1, :last => 3 @ability.can :read, Array, :first => 1, :last => 3
@ability.can?(:read, [1, 2, 3]).should be_true @ability.can?(:read, [1, 2, 3]).should be_true
@ability.can?(:read, [1, 2, 3, 4]).should be_false @ability.can?(:read, [1, 2, 3, 4]).should be_false
@ability.can?(:read, Array).should be_true @ability.can?(:read, Array).should be_true
end end
it "should allow an array of options in conditions hash" do it "should allow an array of options in conditions hash" do
@ability.can :read, Array, :first => [1, 3, 5] @ability.can :read, Array, :first => [1, 3, 5]
@ability.can?(:read, [1, 2, 3]).should be_true @ability.can?(:read, [1, 2, 3]).should be_true
@ability.can?(:read, [2, 3]).should be_false @ability.can?(:read, [2, 3]).should be_false
@ability.can?(:read, [3, 4]).should be_true @ability.can?(:read, [3, 4]).should be_true
end end
it "should allow a range of options in conditions hash" do it "should allow a range of options in conditions hash" do
@ability.can :read, Array, :first => 1..3 @ability.can :read, Array, :first => 1..3
@ability.can?(:read, [1, 2, 3]).should be_true @ability.can?(:read, [1, 2, 3]).should be_true
@ability.can?(:read, [3, 4]).should be_true @ability.can?(:read, [3, 4]).should be_true
@ability.can?(:read, [4, 5]).should be_false @ability.can?(:read, [4, 5]).should be_false
end end
it "should allow nested hashes in conditions hash" do it "should allow nested hashes in conditions hash" do
@ability.can :read, Array, :first => { :length => 5 } @ability.can :read, Array, :first => { :length => 5 }
@ability.can?(:read, ["foo", "bar"]).should be_false @ability.can?(:read, ["foo", "bar"]).should be_false
@ability.can?(:read, ["test1", "foo"]).should be_true @ability.can?(:read, ["test1", "foo"]).should be_true
end end
it "should allow nested hash of arrays and match any element" do it "should allow nested hash of arrays and match any element" do
@ability.can :read, Array, :first => { :to_i => 3 } @ability.can :read, Array, :first => { :to_i => 3 }
@ability.can?(:read, [[1, 2, 3]]).should be_true @ability.can?(:read, [[1, 2, 3]]).should be_true
@ability.can?(:read, [[4, 5, 6]]).should be_false @ability.can?(:read, [[4, 5, 6]]).should be_false
end end
it "should return conditions for a given ability" do it "should return conditions for a given ability" do
@ability.can :read, Array, :first => 1, :last => 3 @ability.can :read, Array, :first => 1, :last => 3
@ability.conditions(:show, Array).should == {:first => 1, :last => 3} @ability.conditions(:show, Array).should == {:first => 1, :last => 3}
end end
it "should raise an exception when a block is used on condition" do it "should raise an exception when a block is used on condition" do
@ability.can :read, Array do |a| @ability.can :read, Array do |a|
true true
end end
lambda { @ability.conditions(:show, Array) }.should raise_error(CanCan::Error, "Cannot determine ability conditions from block for :show Array") lambda { @ability.conditions(:show, Array) }.should raise_error(CanCan::Error, "Cannot determine ability conditions from block for :show Array")
end end
it "should return an empty hash for conditions when there are no conditions" do it "should return an empty hash for conditions when there are no conditions" do
@ability.can :read, Array @ability.can :read, Array
@ability.conditions(:show, Array).should == {} @ability.conditions(:show, Array).should == {}
end end
it "should return false when performed on an action which isn't defined" do it "should return false when performed on an action which isn't defined" do
@ability.conditions(:foo, Array).should == false @ability.conditions(:foo, Array).should == false
end end
it "should has eated cheezburger" do it "should has eated cheezburger" do
lambda { lambda {
@ability.can? :has, :cheezburger @ability.can? :has, :cheezburger

View File

@ -8,18 +8,18 @@ describe CanCan::ActiveRecordAdditions do
@ability = Object.new @ability = Object.new
@ability.extend(CanCan::Ability) @ability.extend(CanCan::Ability)
end end
it "should call where(:id => nil) when no ability is defined so no records are found" do it "should call where(:id => nil) when no ability is defined so no records are found" do
stub(@model_class).where(:id => nil).stub!.joins(nil) { :no_where } stub(@model_class).where(:id => nil).stub!.joins(nil) { :no_where }
@model_class.accessible_by(@ability, :read).should == :no_where @model_class.accessible_by(@ability, :read).should == :no_where
end end
it "should call where with matching ability conditions" do it "should call where with matching ability conditions" do
@ability.can :read, @model_class, :foo => {:bar => 1} @ability.can :read, @model_class, :foo => {:bar => 1}
stub(@model_class).where(:foos => { :bar => 1 }).stub!.joins([:foo]) { :found_records } stub(@model_class).where(:foos => { :bar => 1 }).stub!.joins([:foo]) { :found_records }
@model_class.accessible_by(@ability, :read).should == :found_records @model_class.accessible_by(@ability, :read).should == :found_records
end end
it "should default to :read ability and use scoped when where isn't available" do it "should default to :read ability and use scoped when where isn't available" do
@ability.can :read, @model_class, :foo => {:bar => 1} @ability.can :read, @model_class, :foo => {:bar => 1}
stub(@model_class).scoped(:conditions => {:foos => {:bar => 1}}, :joins => [:foo]) { :found_records } stub(@model_class).scoped(:conditions => {:foos => {:bar => 1}}, :joins => [:foo]) { :found_records }

View File

@ -5,7 +5,7 @@ describe CanCan::CanDefinition do
@conditions = {} @conditions = {}
@can = CanCan::CanDefinition.new(true, :read, Integer, @conditions, nil) @can = CanCan::CanDefinition.new(true, :read, Integer, @conditions, nil)
end end
it "should return no association joins if none exist" do it "should return no association joins if none exist" do
@can.association_joins.should be_nil @can.association_joins.should be_nil
end end
@ -30,13 +30,13 @@ describe CanCan::CanDefinition do
@conditions[:foo] = {:bar => {1 => 2}} @conditions[:foo] = {:bar => {1 => 2}}
@can.association_joins.should == [{:foo => [:bar]}] @can.association_joins.should == [{:foo => [:bar]}]
end end
it "should return table names in conditions for association joins" do it "should return table names in conditions for association joins" do
@conditions[:foo] = {:bar => 1} @conditions[:foo] = {:bar => 1}
@conditions[:test] = 1 @conditions[:test] = 1
@can.conditions(:tableize => true).should == { :foos => { :bar => 1}, :test => 1 } @can.conditions(:tableize => true).should == { :foos => { :bar => 1}, :test => 1 }
end end
it "should return no association joins if conditions is nil" do it "should return no association joins if conditions is nil" do
can = CanCan::CanDefinition.new(true, :read, Integer, nil, nil) can = CanCan::CanDefinition.new(true, :read, Integer, nil, nil)
can.association_joins.should be_nil can.association_joins.should be_nil

View File

@ -9,11 +9,11 @@ describe CanCan::ControllerAdditions do
mock(@controller_class).helper_method(:can?, :cannot?) mock(@controller_class).helper_method(:can?, :cannot?)
@controller_class.send(:include, CanCan::ControllerAdditions) @controller_class.send(:include, CanCan::ControllerAdditions)
end end
it "should raise ImplementationRemoved when attempting to call 'unauthorized!' on a controller" do it "should raise ImplementationRemoved when attempting to call 'unauthorized!' on a controller" do
lambda { @controller.unauthorized! }.should raise_error(CanCan::ImplementationRemoved) lambda { @controller.unauthorized! }.should raise_error(CanCan::ImplementationRemoved)
end end
it "should raise access denied exception if ability us unauthorized to perform a certain action" do it "should raise access denied exception if ability us unauthorized to perform a certain action" do
begin begin
@controller.authorize! :read, :foo, 1, 2, 3, :message => "Access denied!" @controller.authorize! :read, :foo, 1, 2, 3, :message => "Access denied!"
@ -25,12 +25,12 @@ describe CanCan::ControllerAdditions do
fail "Expected CanCan::AccessDenied exception to be raised" fail "Expected CanCan::AccessDenied exception to be raised"
end end
end end
it "should not raise access denied exception if ability is authorized to perform an action" do it "should not raise access denied exception if ability is authorized to perform an action" do
@controller.current_ability.can :read, :foo @controller.current_ability.can :read, :foo
lambda { @controller.authorize!(:read, :foo) }.should_not raise_error lambda { @controller.authorize!(:read, :foo) }.should_not raise_error
end end
it "should raise access denied exception with default message if not specified" do it "should raise access denied exception with default message if not specified" do
begin begin
@controller.authorize! :read, :foo @controller.authorize! :read, :foo
@ -41,29 +41,29 @@ describe CanCan::ControllerAdditions do
fail "Expected CanCan::AccessDenied exception to be raised" fail "Expected CanCan::AccessDenied exception to be raised"
end end
end end
it "should have a current_ability method which generates an ability for the current user" do it "should have a current_ability method which generates an ability for the current user" do
@controller.current_ability.should be_kind_of(Ability) @controller.current_ability.should be_kind_of(Ability)
end end
it "should provide a can? and cannot? methods which go through the current ability" do it "should provide a can? and cannot? methods which go through the current ability" do
@controller.current_ability.should be_kind_of(Ability) @controller.current_ability.should be_kind_of(Ability)
@controller.can?(:foo, :bar).should be_false @controller.can?(:foo, :bar).should be_false
@controller.cannot?(:foo, :bar).should be_true @controller.cannot?(:foo, :bar).should be_true
end end
it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) } mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
@controller_class.load_and_authorize_resource :foo => :bar @controller_class.load_and_authorize_resource :foo => :bar
end end
it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) } mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
@controller_class.authorize_resource :foo => :bar, :except => :show @controller_class.authorize_resource :foo => :bar, :except => :show
end end
it "load_resource should setup a before filter which passes call to ResourceAuthorization" do it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) } mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }

View File

@ -4,53 +4,53 @@ describe CanCan::ControllerResource do
before(:each) do before(:each) do
@controller = Object.new @controller = Object.new
end end
it "should determine model class by constantizing give name" do it "should determine model class by constantizing give name" do
CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
end end
it "should fetch model through model class and assign it to the instance" do it "should fetch model through model class and assign it to the instance" do
stub(Ability).find(123) { :some_ability } stub(Ability).find(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability).find(123) CanCan::ControllerResource.new(@controller, :ability).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should fetch model through parent and assign it to the instance" do it "should fetch model through parent and assign it to the instance" do
parent = Object.new parent = Object.new
stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability } stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability, parent).find(123) CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should build model through model class and assign it to the instance" do it "should build model through model class and assign it to the instance" do
stub(Ability).new(123) { :some_ability } stub(Ability).new(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability).build(123) CanCan::ControllerResource.new(@controller, :ability).build(123)
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should build model through parent and assign it to the instance" do it "should build model through parent and assign it to the instance" do
parent = Object.new parent = Object.new
stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability } stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability, parent).build(123) CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should not load resource if instance variable is already provided" do it "should not load resource if instance variable is already provided" do
@controller.instance_variable_set(:@ability, :some_ability) @controller.instance_variable_set(:@ability, :some_ability)
CanCan::ControllerResource.new(@controller, :ability).find(123) CanCan::ControllerResource.new(@controller, :ability).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should use the model class option if provided" do it "should use the model class option if provided" do
stub(Person).find(123) { :some_resource } stub(Person).find(123) { :some_resource }
CanCan::ControllerResource.new(@controller, :ability, nil, :resource => Person).find(123) CanCan::ControllerResource.new(@controller, :ability, nil, :resource => Person).find(123)
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should convert string to constant for resource" do it "should convert string to constant for resource" do
CanCan::ControllerResource.new(@controller, :ability, nil, :resource => "Person").model_class.should == Person CanCan::ControllerResource.new(@controller, :ability, nil, :resource => "Person").model_class.should == Person
end end
it "should raise an exception when specifying :class option since it is no longer used" do it "should raise an exception when specifying :class option since it is no longer used" do
lambda { lambda {
CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person) CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person)

View File

@ -5,29 +5,29 @@ describe CanCan::AccessDenied do
before(:each) do before(:each) do
@exception = CanCan::AccessDenied.new(nil, :some_action, :some_subject) @exception = CanCan::AccessDenied.new(nil, :some_action, :some_subject)
end end
it "should have action and subject accessors" do it "should have action and subject accessors" do
@exception.action.should == :some_action @exception.action.should == :some_action
@exception.subject.should == :some_subject @exception.subject.should == :some_subject
end end
it "should have a changable default message" do it "should have a changable default message" do
@exception.message.should == "You are not authorized to access this page." @exception.message.should == "You are not authorized to access this page."
@exception.default_message = "Unauthorized!" @exception.default_message = "Unauthorized!"
@exception.message.should == "Unauthorized!" @exception.message.should == "Unauthorized!"
end end
end end
describe "with only a message" do describe "with only a message" do
before(:each) do before(:each) do
@exception = CanCan::AccessDenied.new("Access denied!") @exception = CanCan::AccessDenied.new("Access denied!")
end end
it "should have nil action and subject" do it "should have nil action and subject" do
@exception.action.should be_nil @exception.action.should be_nil
@exception.subject.should be_nil @exception.subject.should be_nil
end end
it "should have passed message" do it "should have passed message" do
@exception.message.should == "Access denied!" @exception.message.should == "Access denied!"
end end

View File

@ -4,101 +4,101 @@ describe CanCan::ResourceAuthorization do
before(:each) do before(:each) do
@controller = Object.new # simple stub for now @controller = Object.new # simple stub for now
end end
it "should load the resource into an instance variable if params[:id] is specified" do it "should load the resource into an instance variable if params[:id] is specified" do
stub(Ability).find(123) { :some_resource } stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123) authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should properly load resource for namespaced controller" do it "should properly load resource for namespaced controller" do
stub(Ability).find(123) { :some_resource } stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123) authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should properly load resource for namespaced controller when using '::' for namespace" do it "should properly load resource for namespaced controller when using '::' for namespace" do
stub(Ability).find(123) { :some_resource } stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "Admin::AbilitiesController", :action => "show", :id => 123) authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "Admin::AbilitiesController", :action => "show", :id => 123)
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should build a new resource with hash if params[:id] is not specified" do it "should build a new resource with hash if params[:id] is not specified" do
stub(Ability).new(:foo => "bar") { :some_resource } stub(Ability).new(:foo => "bar") { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"}) authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should build a new resource even if attribute hash isn't specified" do it "should build a new resource even if attribute hash isn't specified" do
stub(Ability).new(nil) { :some_resource } stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new") authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should not build a resource when on index action" do it "should not build a resource when on index action" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index") authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil @controller.instance_variable_get(:@ability).should be_nil
end end
it "should perform authorization using controller action and loaded model" do it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource) @controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).authorize!(:show, :some_resource) { raise CanCan::AccessDenied } stub(@controller).authorize!(:show, :some_resource) { raise CanCan::AccessDenied }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show") authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied) lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied)
end end
it "should perform authorization using controller action and non loaded model" do it "should perform authorization using controller action and non loaded model" do
stub(@controller).authorize!(:show, Ability) { raise CanCan::AccessDenied } stub(@controller).authorize!(:show, Ability) { raise CanCan::AccessDenied }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show") authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied) lambda { authorization.authorize_resource }.should raise_error(CanCan::AccessDenied)
end end
it "should call load_resource and authorize_resource for load_and_authorize_resource" do it "should call load_resource and authorize_resource for load_and_authorize_resource" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show") authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
mock(authorization).load_resource mock(authorization).load_resource
mock(authorization).authorize_resource mock(authorization).authorize_resource
authorization.load_and_authorize_resource authorization.load_and_authorize_resource
end end
it "should not build a resource when on custom collection action" do it "should not build a resource when on custom collection action" do
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]}) authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil @controller.instance_variable_get(:@ability).should be_nil
end end
it "should build a resource when on custom new action even when params[:id] exists" do it "should build a resource when on custom new action even when params[:id] exists" do
stub(Ability).new(nil) { :some_resource } stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build}) authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource @controller.instance_variable_get(:@ability).should == :some_resource
end end
it "should not try to load resource for other action if params[:id] is undefined" do it "should not try to load resource for other action if params[:id] is undefined" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list") authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil @controller.instance_variable_get(:@ability).should be_nil
end end
it "should load nested resource and fetch other resource through the association" do it "should load nested resource and fetch other resource through the association" do
stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability } stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person}) authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should load nested resource and build resource through a deep association" do it "should load nested resource and build resource through a deep association" do
stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability } stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]}) authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
authorization.load_resource authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should not load nested resource and build through this if *_id param isn't specified" do it "should not load nested resource and build through this if *_id param isn't specified" do
stub(Person).find(456) { :some_person } stub(Person).find(456) { :some_person }
stub(Ability).new(nil) { :some_ability } stub(Ability).new(nil) { :some_ability }
@ -107,7 +107,7 @@ describe CanCan::ResourceAuthorization do
@controller.instance_variable_get(:@person).should == :some_person @controller.instance_variable_get(:@person).should == :some_person
@controller.instance_variable_get(:@ability).should == :some_ability @controller.instance_variable_get(:@ability).should == :some_ability
end end
it "should load the model using a custom class" do it "should load the model using a custom class" do
stub(Person).find(123) { :some_resource } stub(Person).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:resource => Person}) authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:resource => Person})

View File

@ -13,7 +13,7 @@ end
class Ability class Ability
include CanCan::Ability include CanCan::Ability
def initialize(user) def initialize(user)
end end
end end