will/cancan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

making accessible_by action default to :index and parent action default to :show so we don't check :read action directly - closes #302

Browse Source
This commit is contained in:
Ryan Bates 2011-03-15 23:00:40 -07:00
parent 3639ca90eb
commit fdd5ad022d
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cancan/controller_resource.rb
View File

@ -105,7 +105,7 @@ module CanCan
end end
def authorization_action def authorization_action
parent? ? :read : @params[:action].to_sym parent? ? :show : @params[:action].to_sym
end end
def id_param def id_param

4
lib/cancan/model_additions.rb
View File

@ -4,7 +4,7 @@ module CanCan
module ModelAdditions module ModelAdditions
module ClassMethods module ClassMethods
# Returns a scope which fetches only the records that the passed ability # Returns a scope which fetches only the records that the passed ability
# can perform a given action on. The action defaults to :read. This # can perform a given action on. The action defaults to :index. This
# is usually called from a controller and passed the +current_ability+. # is usually called from a controller and passed the +current_ability+.
# #
# @articles = Article.accessible_by(current_ability) # @articles = Article.accessible_by(current_ability)
@ -19,7 +19,7 @@ module CanCan
# @articles = Article.accessible_by(current_ability, :update) # @articles = Article.accessible_by(current_ability, :update)
# #
# Here only the articles which the user can update are returned. # Here only the articles which the user can update are returned.
def accessible_by(ability, action = :read) def accessible_by(ability, action = :index)
ability.model_adapter(self, action).database_records ability.model_adapter(self, action).database_records
end end
end end

6
spec/cancan/controller_resource_spec.rb
View File

@ -104,7 +104,7 @@ describe CanCan::ControllerResource do
it "should authorize parent resource in collection action" do it "should authorize parent resource in collection action" do
@params[:action] = "index" @params[:action] = "index"
@controller.instance_variable_set(:@category, :some_category) @controller.instance_variable_set(:@category, :some_category)
stub(@controller).authorize!(:read, :some_category) { raise CanCan::AccessDenied } stub(@controller).authorize!(:show, :some_category) { raise CanCan::AccessDenied }
resource = CanCan::ControllerResource.new(@controller, :category, :parent => true) resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied) lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
end end
@ -293,10 +293,10 @@ describe CanCan::ControllerResource do
@controller.instance_variable_get(:@project).name.should == "foobar" @controller.instance_variable_get(:@project).name.should == "foobar"
end end
it "should only authorize :read action on parent resource" do it "should only authorize :show action on parent resource" do
project = Project.create! project = Project.create!
@params.merge!(:action => "new", :project_id => project.id) @params.merge!(:action => "new", :project_id => project.id)
stub(@controller).authorize!(:read, project) { raise CanCan::AccessDenied } stub(@controller).authorize!(:show, project) { raise CanCan::AccessDenied }
resource = CanCan::ControllerResource.new(@controller, :project, :parent => true) resource = CanCan::ControllerResource.new(@controller, :project, :parent => true)
lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied) lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied)
end end