set resource attributes in update action and authorize after set - closes #141
This commit is contained in:
parent
a29e31606b
commit
f6c2054f7e
|
@ -63,7 +63,7 @@ module CanCan
|
|||
if !parent? && new_actions.include?(@params[:action].to_sym)
|
||||
build_resource
|
||||
elsif id_param || @options[:singleton]
|
||||
find_resource
|
||||
find_and_update_resource
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -94,6 +94,15 @@ module CanCan
|
|||
end
|
||||
end
|
||||
|
||||
def find_and_update_resource
|
||||
resource = find_resource
|
||||
if @params[name]
|
||||
@controller.authorize!(authorization_action, resource) if @options[:authorize]
|
||||
resource.attributes = @params[name]
|
||||
end
|
||||
resource
|
||||
end
|
||||
|
||||
def find_resource
|
||||
if @options[:singleton] && parent_resource.respond_to?(name)
|
||||
parent_resource.send(name)
|
||||
|
|
|
@ -8,6 +8,7 @@ describe CanCan::ControllerResource do
|
|||
@ability = Ability.new(nil)
|
||||
stub(@controller).params { @params }
|
||||
stub(@controller).current_ability { @ability }
|
||||
stub(@controller).authorize! { |*args| @ability.authorize!(*args) }
|
||||
# stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
|
||||
end
|
||||
|
||||
|
@ -275,6 +276,22 @@ describe CanCan::ControllerResource do
|
|||
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
||||
end
|
||||
|
||||
it "should authorize update action before setting attributes" do
|
||||
@ability.can :update, :projects, :name => "bar"
|
||||
project = Project.create!(:name => "foo")
|
||||
@params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
|
||||
resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
|
||||
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
||||
end
|
||||
|
||||
it "should authorize update action after setting attributes" do
|
||||
@ability.can :update, :projects, :name => "foo"
|
||||
project = Project.create!(:name => "foo")
|
||||
@params.merge!(:action => "update", :id => project.id, :project => {:name => "bar"})
|
||||
resource = CanCan::ControllerResource.new(@controller, :project, :load => true, :authorize => true)
|
||||
lambda { resource.process }.should raise_error(CanCan::Unauthorized)
|
||||
end
|
||||
|
||||
it "should load the model using a custom class" do
|
||||
project = Project.create!
|
||||
@params.merge!(:action => "show", :id => project.id)
|
||||
|
|
Loading…
Reference in New Issue
Block a user