Commit Graph

434 Commits

Author SHA1 Message Date
Sergio Arbeo
1f7e4c8b6b Solves problem when authorizing new action.
Given two models Category and Projects. A Category has_many
projects and Project belongs_to a category. Furthermore,
projects are shallow nested resources in a category.

Let's say that a user can edit certain category's projects
(and only one category can be edited by each user [1]), this is
expressed with the following line in Ability model:

can :new, :projects, category_id: user.category_id

Given the old implementation, we get that any user can 'new'
(though not 'create') a project in any category:

```ruby
def assign_attributes(resource)
  resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
  initial_attributes.each do |attr_name, value|
    resource.send("#{attr_name}=", value)
  end
  resource
end
```

In this case, category_id in project would get overwritten
inside the initial_attributes loop and authorization would pass.
I consider this a buggy behaviour.

[1] User belongs_to a category, and a Category has many
users. On the other hand, there might be users without
any category.

Conflicts:
	spec/cancan/controller_resource_spec.rb
2012-10-04 20:29:28 +02:00
Ryan Bates
f1cebde51a Merge pull request #751 from mculp/2.0
fixes #750 - load hooks return ActiveRecord::Model in Rails 4, use Concern
2012-09-29 11:00:44 -07:00
Matt Culpepper
9550154b09 load hooks return ActiveRecord::Model in Rails 4, use Concern 2012-09-27 23:18:45 -05:00
Ryan Bates
aed9f26e56 Merge pull request #668 from bukalapak/2.0
Fix namespace split
2012-07-02 13:48:00 -07:00
Nugroho Herucahyono
6c1828acb6 fix namespace split, so we can use / for namespace 2012-06-29 18:29:08 +07:00
Ryan Bates
6886aecb9a bringing up to date with master branch 2012-06-26 17:10:01 -07:00
Ryan Bates
de000fdec7 tests passing with Rails 3.2.6 2012-06-26 15:13:35 -07:00
Ryan Bates
1e89b31bad releasing 1.6.8 2012-06-25 16:17:32 -07:00
Ryan Bates
5f1be25419 preparing for 1.6.8 2012-06-19 12:56:51 -07:00
Ryan Bates
6d7bce78fc updating changelog 2012-06-19 11:58:59 -07:00
Ryan Bates
a0200166cc removing project status section from readme since contributors are now kind enough to keep tabs on the issue tracker 2012-06-19 11:37:45 -07:00
Ryan Bates
112a995327 clearing leftover whitespace 2012-06-19 11:36:59 -07:00
Ryan Bates
944804183e load ostruct for OpenStruct used in spec 2012-06-19 11:35:58 -07:00
Ryan Bates
2b89dbbdfa Merge pull request #653 from andhapp/fix-pull-request-640
Init attributes in InheritedResources controller w/ specs
2012-06-19 10:53:22 -07:00
Ryan Bates
aff8ca60e4 Merge pull request #650 from andhapp/fix-pull-request-486
Fixes Nested Resource Loading
2012-06-19 10:50:29 -07:00
Ryan Bates
33e33c584e Merge pull request #618 from spatil/master
Check for defined ActionController::Base instead ActionController
2012-06-19 10:41:14 -07:00
Anuj Dutta
a1254ca1c6 Fix pull request 640. For some reason github didn't allow a clean merge althought there weren't any conflicts. Fix it so that it's easier to just merge via the UI. 2012-06-19 00:13:19 +01:00
Mike Pack
88aba4664a Refactor out attribute assignment 2012-06-19 00:08:27 +01:00
Mike Pack
b965f5bab4 Add specs for resource attributes.
Remove inconsistent line breaks.
2012-06-19 00:08:27 +01:00
mccraig mccraig of the clan mccraig
c2c0b86c3a initialise attributes after a resource is created by an InheritedResources controller 2012-06-19 00:08:26 +01:00
Mark Sim
d5baed6281 Fixes Nested Resource Loading 2012-06-18 06:52:32 +01:00
Ryan Bates
76d465ae13 Merge pull request #635 from ollym/2.0
Named resources were not loading correctly in 2.0
2012-06-11 09:56:41 -07:00
Ryan Bates
7bf683d8f4 Merge pull request #645 from andhapp/issue-644
Allow users to specify a mix of can and cannot rule for mongoid
2012-06-11 09:52:38 -07:00
Anuj Dutta
da663aaed1 Fix for issue-644 to allow users to specify a mix of can and cannot rules with mongo. 2012-06-10 22:54:45 +01:00
Oliver Morgan
354e34b8ab Fixed bug where parent resources were being regarded as children 2012-06-04 17:44:33 +01:00
Oliver Morgan
245b83f6b4 Classify causes plural model names to be incorrectly renamed
Some model names will be renamed incorrectly e.g. 'business'. It should
be the responsibility of the user to make sure they use a name that
directly corresponds to the model name. The only filtering performed
should be camelize.
2012-05-31 10:45:55 +01:00
Oliver Morgan
78cbcf1db9 Named resources were not being loaded correctly. Fixes #633 2012-05-30 12:39:10 +01:00
Ryan Bates
80a8c39a93 Merge pull request #632 from andhapp/fix-issue-327
Fix to handle MetaWhere and non-MetaWhere conditions correctly.
2012-05-29 10:04:18 -07:00
Ryan Bates
b3f9ffe93b Merge pull request #625 from rogercampos/merging
Adding Ability#merge
2012-05-28 11:02:51 -07:00
Anuj Dutta
c27ead5b9f Fix to handle MetaWhere and non-MetaWhere conditions correctly. 2012-05-26 18:00:50 +01:00
Ryan Bates
0c21831b4d Merge pull request #619 from derekprior/namespace-fix
Updated: port fix for namespaced params from 2.0 back to 1.6
2012-05-14 09:24:25 -07:00
Chris Gunther
b347c7b78c port fix for namespaced params from 2.0 back to 1.6 2012-05-14 10:52:29 -04:00
Ryan Bates
1cdd7b3c18 Merge pull request #509 from moffff/master
Fix 'spec/spec_helper.rb:20: uninitialized constant WithModel (NameError)'
2012-05-11 08:59:41 -07:00
Ryan Bates
7f4f469e58 Merge pull request #492 from soopa/master
Fix "uninitialized constant CanCan::Rule::ModelAdapters"
2012-05-11 08:51:50 -07:00
Ryan Bates
ccd24ab30f fixing Ruby versions running on travis.yml 2012-05-11 08:43:49 -07:00
Ryan Bates
4986de8b3e Merge pull request #570 from bsodmike/bsodmike-2.0
Cancan 2.0 fix for issue #565; fixes namespaced non-db/model backed resources authorization
2012-05-11 08:18:03 -07:00
Gimi Liang
14e1f5cad4 Merge pull request #535 from manuelmeurer/patch-2
Fixed a small typo
2012-05-11 08:17:55 -07:00
Gimi Liang
8e46ccad8c Merge pull request #616 from NickClark/rails_2_3_readme_clarification
Clarify readme for rails 2.3 users
2012-05-11 08:12:22 -07:00
Michael de Silva
0e8c7ca01f cancan 2.0 fix for issue #565; test to properly authorize resource for namespaced controller 2012-05-11 12:00:46 +03:00
Michael de Silva
48ed6f9353 cancan 2.0 fix for issue #565; fixes namespaced non-db/model backed resources authorization 2012-05-11 11:59:00 +03:00
Nicholas Clark
0bbe2e1802 Clarify readme for rails 2.3 users 2012-05-10 19:03:51 -04:00
Ryan Bates
10cbfbb923 adding a .rbenv-version file 2012-05-10 14:24:13 -07:00
Ryan Bates
a8a85f13a3 Merge pull request #541 from icrowley/master
Fixed bug with params for actions that build new instances with namespaced models
2012-05-10 13:51:45 -07:00
Ryan Bates
c1f7181336 Merge pull request #505 from nertzy/update_with_model
Use latest with_model gem
2012-05-10 11:45:27 -07:00
Ryan Bates
70515de8c1 Merge pull request #556 from mauriciozaffari/master
Pass forward :if and :unless options to the before filter.
2012-05-10 11:00:32 -07:00
Ryan Bates
b73bd062a8 Merge pull request #564 from flop/master
False positives on multiple nested abilities definitions
2012-05-10 10:59:08 -07:00
Ryan Bates
d1176245e6 Merge pull request #559 from plentz/patch-1
Adding travis-ci badge
2012-05-10 10:47:13 -07:00
Ryan Bates
78e1a17258 Merge pull request #587 from route/patch-1
Just add singleton to description of authorize_resource
2012-05-10 09:27:03 -07:00
Ryan Bates
6e8bc851be Merge pull request #607 from Mixbook/master
Added support for value to be Enumerable
2012-05-10 09:25:59 -07:00
Aryk Grosz
65bbf0e354 Add check for Enumerable as condition value 2012-04-23 00:51:55 -07:00