set resource attributes in update action and authorize after set - closes #141
This commit is contained in:
parent
a29e31606b
commit
f6c2054f7e
|
@ -63,7 +63,7 @@ module CanCan
|
||||||
if !parent? && new_actions.include?(@params[:action].to_sym)
|
if !parent? && new_actions.include?(@params[:action].to_sym)
|
||||||
build_resource
|
build_resource
|
||||||
elsif id_param || @options[:singleton]
|
elsif id_param || @options[:singleton]
|
||||||
find_resource
|
find_and_update_resource
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -94,6 +94,15 @@ module CanCan
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def find_and_update_resource
|
||||||
|
resource = find_resource
|
||||||
|
if @params[name]
|
||||||
|
@controller.authorize!(authorization_action, resource) if @options[:authorize]
|
||||||
|
resource.attributes = @params[name]
|
||||||
|
end
|
||||||
|
resource
|
||||||
|
end
|
||||||
|
|
||||||
def find_resource
|
def find_resource
|
||||||
if @options[:singleton] && parent_resource.respond_to?(name)
|
if @options[:singleton] && parent_resource.respond_to?(name)
|
||||||
parent_resource.send(name)
|
parent_resource.send(name)
|
||||||
|
|
|
@ -8,6 +8,7 @@ describe CanCan::ControllerResource do
|
||||||
@ability = Ability.new(nil)
|
@ability = Ability.new(nil)
|
||||||
stub(@controller).params { @params }
|
stub(@controller).params { @params }
|
||||||
stub(@controller).current_ability { @ability }
|
stub(@controller).current_ability { @ability }
|
||||||
|
stub(@controller).authorize! { |*args| @ability.authorize!(*args) }
|
||||||
# stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
|
# stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -275,6 +276,22 @@ describe CanCan::ControllerResource do
|
||||||
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should authorize update action before setting attributes" do
|
||||||
|
@ability.can :update, :projects, :name => "bar"
|
||||||
|
project = Project.create!(:name => "foo")
|
||||||
|
@params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
|
||||||
|
resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
|
||||||
|
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should authorize update action after setting attributes" do
|
||||||
|
@ability.can :update, :projects, :name => "foo"
|
||||||
|
project = Project.create!(:name => "foo")
|
||||||
|
@params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
|
||||||
|
resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
|
||||||
|
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
||||||
|
end
|
||||||
|
|
||||||
it "should load the model using a custom class" do
|
it "should load the model using a custom class" do
|
||||||
project = Project.create!
|
project = Project.create!
|
||||||
@params.merge!(:action => "show", :id => project.id)
|
@params.merge!(:action => "show", :id => project.id)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user