set resource attributes in update action and authorize after set - closes #141

This commit is contained in:
Ryan Bates 2011-05-19 17:12:30 -04:00
parent a29e31606b
commit f6c2054f7e
2 changed files with 27 additions and 1 deletions

View File

@ -63,7 +63,7 @@ module CanCan
if !parent? && new_actions.include?(@params[:action].to_sym) if !parent? && new_actions.include?(@params[:action].to_sym)
build_resource build_resource
elsif id_param || @options[:singleton] elsif id_param || @options[:singleton]
find_resource find_and_update_resource
end end
end end
@ -94,6 +94,15 @@ module CanCan
end end
end end
def find_and_update_resource
resource = find_resource
if @params[name]
@controller.authorize!(authorization_action, resource) if @options[:authorize]
resource.attributes = @params[name]
end
resource
end
def find_resource def find_resource
if @options[:singleton] && parent_resource.respond_to?(name) if @options[:singleton] && parent_resource.respond_to?(name)
parent_resource.send(name) parent_resource.send(name)

View File

@ -8,6 +8,7 @@ describe CanCan::ControllerResource do
@ability = Ability.new(nil) @ability = Ability.new(nil)
stub(@controller).params { @params } stub(@controller).params { @params }
stub(@controller).current_ability { @ability } stub(@controller).current_ability { @ability }
stub(@controller).authorize! { |*args| @ability.authorize!(*args) }
# stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} } # stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
end end
@ -275,6 +276,22 @@ describe CanCan::ControllerResource do
lambda { resource.process }.should raise_error(CanCan::Unauthorized) lambda { resource.process }.should raise_error(CanCan::Unauthorized)
end end
it "should authorize update action before setting attributes" do
@ability.can :update, :projects, :name => "bar"
project = Project.create!(:name => "foo")
@params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
end
it "should authorize update action after setting attributes" do
@ability.can :update, :projects, :name => "foo"
project = Project.create!(:name => "foo")
@params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
end
it "should load the model using a custom class" do it "should load the model using a custom class" do
project = Project.create! project = Project.create!
@params.merge!(:action => "show", :id => project.id) @params.merge!(:action => "show", :id => project.id)