set resource attributes in update action and authorize after set - closes #141

2011-05-19 17:12:30 -04:00 · 2011-05-19 17:12:30 -04:00 · f6c2054f7e
commit f6c2054f7e
parent a29e31606b
2 changed files with 27 additions and 1 deletions
--- a/lib/cancan/controller_resource.rb
+++ b/lib/cancan/controller_resource.rb
@ -63,7 +63,7 @@ module CanCan
      if !parent? && new_actions.include?(@params[:action].to_sym)
        build_resource
      elsif id_param || @options[:singleton]
-        find_resource
+        find_and_update_resource
      end
    end

@ -94,6 +94,15 @@ module CanCan
      end
    end

+    def find_and_update_resource
+      resource = find_resource
+      if @params[name]
+        @controller.authorize!(authorization_action, resource) if @options[:authorize]
+        resource.attributes = @params[name]
+      end
+      resource
+    end
+
    def find_resource
      if @options[:singleton] && parent_resource.respond_to?(name)
        parent_resource.send(name)
--- a/spec/cancan/controller_resource_spec.rb
+++ b/spec/cancan/controller_resource_spec.rb
@ -8,6 +8,7 @@ describe CanCan::ControllerResource do
    @ability = Ability.new(nil)
    stub(@controller).params { @params }
    stub(@controller).current_ability { @ability }
+    stub(@controller).authorize! { |*args| @ability.authorize!(*args) }
    # stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
  end

@ -275,6 +276,22 @@ describe CanCan::ControllerResource do
    lambda { resource.process }.should raise_error(CanCan::Unauthorized)
  end

+  it "should authorize update action before setting attributes" do
+    @ability.can :update, :projects, :name => "bar"
+    project = Project.create!(:name => "foo")
+    @params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
+    resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
+    lambda { resource.process }.should raise_error(CanCan::Unauthorized)
+  end
+
+  it "should authorize update action after setting attributes" do
+    @ability.can :update, :projects, :name => "foo"
+    project = Project.create!(:name => "foo")
+    @params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
+    resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
+    lambda { resource.process }.should raise_error(CanCan::Unauthorized)
+  end
+
  it "should load the model using a custom class" do
    project = Project.create!
    @params.merge!(:action => "show", :id => project.id)