will/cancan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: will:0.1.0
Branches Tags
will:master will:2.0
will:1.6.10 will:1.6.9 will:1.6.8 will:1.6.7 will:1.6.6 will:1.6.5 will:1.6.4 will:1.6.3 will:1.6.2 will:1.6.1 will:1.6.0 will:1.5.1 will:1.5.0 will:1.4.1 will:1.4.0 will:1.3.4 will:1.3.3 will:1.3.2 will:1.3.1 will:1.3.0 will:1.2.0 will:1.1.1 will:1.1 will:1.0.2 will:1.0.1 will:1.0.0 will:0.2.1 will:0.2.0 will:0.1.0
...
compare: will:0.2.1
Branches Tags
will:master will:2.0
will:1.6.10 will:1.6.9 will:1.6.8 will:1.6.7 will:1.6.6 will:1.6.5 will:1.6.4 will:1.6.3 will:1.6.2 will:1.6.1 will:1.6.0 will:1.5.1 will:1.5.0 will:1.4.1 will:1.4.0 will:1.3.4 will:1.3.3 will:1.3.2 will:1.3.1 will:1.3.0 will:1.2.0 will:1.1.1 will:1.1 will:1.0.2 will:1.0.1 will:1.0.0 will:0.2.1 will:0.2.0 will:0.1.0

20 Commits
0.1.0 ... 0.2.1

Author SHA1 Message Date
Ryan Bates
43947c893d releasing gem v0.2.1 2009-11-26 10:13:22 -08:00
Ryan Bates
e32c5d0dfb calling controller's load_resource and authorize_resource from load_and_authorize_resource to maintain backwards compatability, even though it's not the most efficient way 2009-11-26 09:53:16 -08:00
Ryan Bates
da5a5c031f refactoring out controller logic into separate ResourceAuthorization class - closes #11 2009-11-26 09:29:53 -08:00
Rafael Silva
e92a7d8bf4 Some refactor to be more DRY 2009-11-26 09:38:14 +08:00
Ryan Bates
c40490d672 refactoring ability can? method - closes #12 2009-11-25 17:31:40 -08:00
Ryan Bates
d4405e6070 adding cannot method to define which abilities cannot be done - closes #7 2009-11-25 10:25:58 -08:00
Ryan Bates
e60365505c support custom objects (usually symbols) in can definition - closes #8 2009-11-25 09:55:50 -08:00
Ryan Bates
5bd1a85410 little fixes to inline documentation (rdocs) 2009-11-19 09:46:30 -08:00
Ryan Bates
0ae41f57b8 mentioning wiki in readme 2009-11-18 16:37:10 -08:00
Ryan Bates
b145a98488 linking to the RDocs from README 2009-11-17 17:02:20 -08:00
Ryan Bates
b9227eb971 adding a lot of inline documentation to code for rdocs 2009-11-17 16:56:16 -08:00
Ryan Bates
072cb0f2de fixing spacing issues in README 2009-11-17 12:59:44 -08:00
Ryan Bates
52649a8da1 releasing gem 0.2.0 NOT BACKWARDS COMPATABLE, SEE CHANGELOG 2009-11-17 12:58:42 -08:00
Ryan Bates
15a01a579c fixing behavior of load_and_authorize_resource for namespaced controllers - closes #3 2009-11-17 11:59:59 -08:00
Ryan Bates
766fe86a9f support arrays being passed to 'can' to specify multiple actions or classes - closes #2 2009-11-17 11:46:27 -08:00
Ryan Bates
4322da9d0a expanding readme documentation 2009-11-17 11:22:09 -08:00
Ryan Bates
0f49b5478f adding 'cannot?' method which performs opposite check of 'can?' - closes #1 2009-11-17 10:46:16 -08:00
Ryan Bates
df276536ab adding documentation for testing abilities - closes #6 2009-11-17 10:33:03 -08:00
Ryan Bates
1edf583110 BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - closes #4 2009-11-17 10:25:47 -08:00
Ryan Bates
9d58226563 couple fixes in readme 2009-11-16 22:31:27 -08:00
11 changed files with 511 additions and 159 deletions
Expand all files Collapse all files

21
CHANGELOG.rdoc
View File

@@ -1,3 +1,22 @@
*0.1.0* (Nov 16th, 2009)
0.2.1 (Nov 26, 2009)
* many internal refactorings - see issues #11 and #12
* adding "cannot" method to define which abilities cannot be done - see issue #7
* support custom objects (usually symbols) in can definition - see issue #8
0.2.0 (Nov 17, 2009)
* fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3
* support arrays being passed to "can" to specify multiple actions or classes - see issue #2
* adding "cannot?" method to ability, controller, and view which is inverse of "can?" - see issue #1
* BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - see issue #4
0.1.0 (Nov 16, 2009)
* initial release

114
README.rdoc
View File

@@ -1,9 +1,10 @@
= CanCan
This is a simple authorization solution for Rails which is completely decoupled from how you set up the user's roles. All permissions are stored in a single location for convenience.
This is a simple authorization solution for Ruby on Rails to restrict what a given user is allowed to access in the application. This is completely decoupled from any role based implementation allowing you to define user roles the way you want. All permissions are stored in a single location for convenience.
This assumes you already have an authentication solution (such as Authlogic) which proves a current_user model.
This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
See the RDocs[http://rdoc.info/projects/ryanb/cancan] and Wiki[http://wiki.github.com/ryanb/cancan] for additional documentation.
== Installation
@@ -13,7 +14,7 @@ You can set it up as a gem in your environment.rb file.
And then install the gem.
gem install cancan
sudo rake gems:install
Alternatively you can install it as a Rails plugin.
@@ -22,12 +23,12 @@ Alternatively you can install it as a Rails plugin.
== Setup
First define a class called Ability, place it in "models/ability.rb".
First, define a class called Ability in "models/ability.rb".
class Ability
include CanCan::Ability
def prepare(user)
def initialize(user)
if user.admin?
can :manage, :all
else
@@ -36,22 +37,22 @@ First define a class called Ability, place it in "models/ability.rb".
end
end
This class is where all permissions will go. See the "Defining Abilities" section below for more information.
This is where all permissions will go. See the "Defining Abilities" section below for more information.
In the view layer you can access the current permissions at any point using the "can?" method. See "Checking Abilities" section below.
You can access the current permissions at any point using the "can?" and "cannot?" methods in the view.
<% if can? :update, @article %>
<%= link_to "Edit", edit_article_path(@article) %>
<% end %>
You can also use this method in the controller layer along with the "unauthorized!" method to restrict access.
You can also use these methods in a controller along with the "unauthorized!" method to restrict access.
def show
@article = Article.find(params[:id])
unauthorized! unless can? :read, @article
unauthorized! if cannot? :read, @article
end
Setting this for every action can be tedious, therefore a before filter is also provided for automatically applying this setting to a RESTful style resource controller.
Setting this for every action can be tedious, therefore a before filter is also provided to automatically authorize all actions in a RESTful style resource controller.
class ArticlesController < ApplicationController
before_filter :load_and_authorize_resource
@@ -61,7 +62,7 @@ Setting this for every action can be tedious, therefore a before filter is also
end
end
If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior.
If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.
class ApplicationController < ActionController::Base
rescue_from CanCan::AccessDenied, :with => :access_denied
@@ -77,7 +78,7 @@ If the user authorization fails, a CanCan::AccessDenied exception will be raised
== Defining Abilities
As shown above, the Ability#prepare method is where all user permissions are defined. The user model is passed into this method so you are free to modify the permissions based on the user's attributes. This way CanCan is completely decoupled with how you choose to handle roles.
As shown above, the Ability class is where all user permissions are defined. The user model is passed into the initialize method so you are free to modify the permissions based on the user's attributes. This way CanCan is completely decoupled with how you choose to handle roles.
The "can" method accepts two arguments, the first one is the action you're setting the permission for, the second one is the class of object you're setting it on.
@@ -89,7 +90,7 @@ You can pass an array for either of these parameters to match any one.
In this case the user has the ability to update or destroy both articles and comments.
You can pass a block to provide logic based on the article's attributes. For example:
You can pass a block to provide logic based on the article's attributes.
can :update, Article do |article|
article && article.user == user
@@ -110,17 +111,11 @@ You can also pass :manage as the action which will match any action. In this cas
can :manage, Comment do |action, comment|
action != :destroy
end
Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
Finally, you can use the "alias_action" method to alias one or more actions into one.
alias_action :update, :destroy, :to => :modify
can :modify, Comment
The following aliases are added by default for conveniently mapping common controller actions.
alias_action :index, :show, :to => :read
alias_action :new, :to => :create
alias_action :edit, :to => :update
can :read, :all
cannot :read, Product
== Checking Abilities
@@ -129,65 +124,60 @@ Use the "can?" method in the controller or view to check the user's permission f
can? :destroy, @project
You can also pass the class instead of an instance (if you don't have one handy). For example:
You can also pass the class instead of an instance (if you don't have one handy).
<% if can? :create, Project %>
<%= link_to "New Project", new_project_path %>
<% end %>
The "cannot?" method is for convenience and performs the opposite check of "can?"
== Custom Actions
There is no limit to what actions you can use to determine abilities. For example, if only pro users are allowed to upload a picture for their product, you might add restrictions like this.
# ability.rb
can :upload_picture, Project if user.pro?
# projects/_form.html.erb
<%= f.file_field :picture if can? :upload_picture, @project %>
# projects_controller.rb
def update
unauthorized! if params[:project][:upload_picture] && !can?(:upload_picture, @project)
# ...
end
cannot? :destroy, @project
== Customizing Assumptions
== Aliasing Actions
You can use the "alias_action" method to alias one or more actions into one.
alias_action :update, :destroy, :to => :modify
can :modify, Comment
can? :update, Comment # => true
The following aliases are added by default for conveniently mapping common controller actions.
alias_action :index, :show, :to => :read
alias_action :new, :to => :create
alias_action :edit, :to => :update
== Assumptions & Configuring
CanCan makes two assumptions about your application.
* The permissions are defined in Ability#prepare.
* The user is fetched with current_user method in the controller.
* You have an Ability class which defines the permissions.
* You have a current_user method in the controller which returns the current user model.
You can override these by defining the "current_ability" method in your ApplicationController.
You can override these by overriding the "current_ability" method in your ApplicationController.
def current_ability
ability = UserAbility.new # instead of Ability
ability.prepare(current_account) # instead of current_user
ability # be sure to return the ability
UserAbility.new(current_account) # instead of Ability.new(current_user)
end
That's it!
== Permissions in Database
== Testing Abilities
Perhaps a non-coder needs the ability to modify the user abilities, or you want to change them without having to re-deploy the application. In that case it may be best to store the permission logic in a separate model, let's call it Permission. It is easy to use the database records when defining abilities.
It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
For example, let's assume that each user has_many :permissions, and each permission has "action", "object_type" and "object_id" columns. The last of which is optional.
class Ability
include CanCan::Ability
def prepare(user)
can :manage, :all do |action, object_class, object|
user.permissions.find_all_by_action(action).any? do |permission|
permission.object_type.constantize == object_class &&
(object.nil? || permission.object_id.nil? || permission.object_id == object.id)
end
end
end
def test "user can only destroy projects which he owns"
user = User.new
ability = Ability.new(user)
assert ability.can?(:destroy, Project.new(:user => user))
assert ability.cannot?(:destroy, Project.new)
end
The actual details will depend largely on your application requirements, but hopefully you can see how it's possible to define permissions in the database and use them with CanCan.
== Special Thanks
CanCan was inspired by declarative_authorization[http://github.com/stffn/declarative_authorization/] and aegis[http://github.com/makandra/aegis]. Many thanks to the authors and contributors.

4
cancan.gemspec
View File

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
s.homepage = "http://github.com/ryanb/cancan"
s.version = "0.1.0"
s.date = "2009-11-16"
s.version = "0.2.1"
s.date = "2009-11-26"
s.authors = ["Ryan Bates"]
s.email = "ryan@railscasts.com"

3
lib/cancan.rb
View File

@@ -1,6 +1,9 @@
module CanCan
# This error is raised when a user isn't allowed to access a given
# controller action. See ControllerAdditions#unauthorized! for details.
class AccessDenied < StandardError; end
end
require File.dirname(__FILE__) + '/cancan/ability'
require File.dirname(__FILE__) + '/cancan/resource_authorization'
require File.dirname(__FILE__) + '/cancan/controller_additions'

211
lib/cancan/ability.rb
View File

@@ -1,43 +1,168 @@
module CanCan
# This module is designed to be included into an Ability class. This will
# provide the "can" methods for defining and checking abilities.
#
# class Ability
# include CanCan::Ability
#
# def initialize(user)
# if user.admin?
# can :manage, :all
# else
# can :read, :all
# end
# end
# end
#
module Ability
attr_accessor :user
def can?(original_action, target) # TODO this could use some refactoring
(@can_history || []).reverse.each do |can_action, can_target, can_block|
possible_actions_for(original_action).each do |action|
if (can_action == :manage || can_action == action) && (can_target == :all || can_target == target || target.kind_of?(can_target))
if can_block.nil?
return true
else
block_args = []
block_args << action if can_action == :manage
block_args << (target.class == Class ? target : target.class) if can_target == :all
block_args << (target.class == Class ? nil : target)
return can_block.call(*block_args)
end
end
# Use to check the user's permission for a given action and object.
#
# can? :destroy, @project
#
# You can also pass the class instead of an instance (if you don't have one handy).
#
# can? :create, Project
#
# Not only can you use the can? method in the controller and view (see ControllerAdditions),
# but you can also call it directly on an ability instance.
#
# ability.can? :destroy, @project
#
# This makes testing a user's abilities very easy.
#
# def test "user can only destroy projects which he owns"
# user = User.new
# ability = Ability.new(user)
# assert ability.can?(:destroy, Project.new(:user => user))
# assert ability.cannot?(:destroy, Project.new)
# end
#
def can?(action, noun)
(@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
defined_actions = expand_actions(defined_action)
defined_nouns = [defined_noun].flatten
if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
return base_behavior ? result : !result
end
end
false
end
def possible_actions_for(initial_action)
actions = [initial_action]
(@aliased_actions || default_alias_actions).each do |target, aliases|
actions += possible_actions_for(target) if aliases.include? initial_action
end
actions
end
def can(action, target, &block)
@can_history ||= []
@can_history << [action, target, block]
# Convenience method which works the same as "can?" but returns the opposite value.
#
# cannot? :destroy, @project
#
def cannot?(*args)
!can?(*args)
end
# Defines which abilities are allowed using two arguments. The first one is the action
# you're setting the permission for, the second one is the class of object you're setting it on.
#
# can :update, Article
#
# You can pass an array for either of these parameters to match any one.
#
# can [:update, :destroy], [Article, Comment]
#
# In this case the user has the ability to update or destroy both articles and comments.
#
# You can pass a block to provide logic based on the article's attributes.
#
# can :update, Article do |article|
# article && article.user == user
# end
#
# If the block returns true then the user has that :update ability for that article, otherwise he
# will be denied access. It's possible for the passed in model to be nil if one isn't specified,
# so be sure to take that into consideration.
#
# You can pass :all to reference every type of object. In this case the object type will be passed
# into the block as well (just in case object is nil).
#
# can :read, :all do |object_class, object|
# object_class != Order
# end
#
# Here the user has permission to read all objects except orders.
#
# You can also pass :manage as the action which will match any action. In this case the action is
# passed to the block.
#
# can :manage, Comment do |action, comment|
# action != :destroy
# end
#
# You can pass custom objects into this "can" method, this is usually done through a symbol
# and is useful if a class isn't available to define permissions on.
#
# can :read, :stats
# can? :read, :stats # => true
#
def can(action, noun, &block)
@can_definitions ||= []
@can_definitions << [true, action, noun, block]
end
# Define an ability which cannot be done. Accepts the same arguments as "can".
#
# can :read, :all
# cannot :read, Comment
#
# A block can be passed just like "can", however if the logic is complex it is recommended
# to use the "can" method.
#
# cannot :read, Product do |product|
# product.invisible?
# end
#
def cannot(action, noun, &block)
@can_definitions ||= []
@can_definitions << [false, action, noun, block]
end
# Alias one or more actions into another one.
#
# alias_action :update, :destroy, :to => :modify
# can :modify, Comment
#
# Then :modify permission will apply to both :update and :destroy requests.
#
# can? :update, Comment # => true
# can? :destroy, Comment # => true
#
# This only works in one direction. Passing the aliased action into the "can?" call
# will not work because aliases are meant to generate more generic actions.
#
# alias_action :update, :destroy, :to => :modify
# can :update, Comment
# can? :modify, Comment # => false
#
# Unless that exact alias is used.
#
# can :modify, Comment
# can? :modify, Comment # => true
#
# The following aliases are added by default for conveniently mapping common controller actions.
#
# alias_action :index, :show, :to => :read
# alias_action :new, :to => :create
# alias_action :edit, :to => :update
#
# This way one can use params[:action] in the controller to determine the permission.
def alias_action(*args)
@aliased_actions ||= default_alias_actions
target = args.pop[:to]
@aliased_actions[target] = args
aliased_actions[target] = args
end
private
def aliased_actions
@aliased_actions ||= default_alias_actions
end
def default_alias_actions
@@ -48,8 +173,34 @@ module CanCan
}
end
def prepare(user)
# to be overriden by included class
def expand_actions(actions)
[actions].flatten.map do |action|
if aliased_actions[action]
[action, *aliased_actions[action]]
else
action
end
end.flatten
end
def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
if defined_block.nil?
true
else
block_args = []
block_args << action if defined_actions.include?(:manage)
block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
block_args << (noun.class == Class ? nil : noun)
return defined_block.call(*block_args)
end
end
def includes_action?(actions, action)
actions.include?(:manage) || actions.include?(action)
end
def includes_noun?(nouns, noun)
nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
end
end
end

106
lib/cancan/controller_additions.rb
View File

@@ -1,37 +1,113 @@
module CanCan
# This module is automatically included into all controllers.
# It also makes the "can?" and "cannot?" methods available to all views.
module ControllerAdditions
def self.included(base)
base.helper_method :can?
base.helper_method :can?, :cannot?
end
# Raises the CanCan::AccessDenied exception. This is often used in a
# controller action to mark a request as unauthorized.
#
# def show
# @article = Article.find(params[:id])
# unauthorized! if cannot? :read, @article
# end
#
# You can rescue from the exception in the controller to specify
# the user experience.
#
# class ApplicationController < ActionController::Base
# rescue_from CanCan::AccessDenied, :with => :access_denied
#
# protected
#
# def access_denied
# flash[:error] = "Sorry, you are not allowed to access that page."
# redirect_to root_url
# end
# end
#
# See the load_and_authorize_resource method to automatically add
# the "unauthorized!" behavior to a RESTful controller's actions.
def unauthorized!
raise AccessDenied, "You are unable to access this page."
end
# Creates and returns the current user's ability. You generally do not invoke
# this method directly, instead you can override this method to change its
# behavior if the Ability class or current_user method are different.
#
# def current_ability
# UserAbility.new(current_account) # instead of Ability.new(current_user)
# end
#
def current_ability
ability = ::Ability.new
ability.prepare(current_user)
ability
::Ability.new(current_user)
end
# Use in the controller or view to check the user's permission for a given action
# and object.
#
# can? :destroy, @project
#
# You can also pass the class instead of an instance (if you don't have one handy).
#
# <% if can? :create, Project %>
# <%= link_to "New Project", new_project_path %>
# <% end %>
#
# This simply calls "can?" on the current_ability. See Ability#can?.
def can?(*args)
(@current_ability ||= current_ability).can?(*args)
end
def load_resource # TODO this could use some refactoring
unless params[:action] == "index"
if params[:id]
instance_variable_set("@#{params[:controller].singularize}", params[:controller].singularize.camelcase.constantize.find(params[:id]))
else
instance_variable_set("@#{params[:controller].singularize}", params[:controller].singularize.camelcase.constantize.new(params[params[:controller].singularize.to_sym]))
end
end
# Convenience method which works the same as "can?" but returns the opposite value.
#
# cannot? :destroy, @project
#
def cannot?(*args)
(@current_ability ||= current_ability).cannot?(*args)
end
def authorize_resource # TODO this could use some refactoring
unauthorized! unless can?(params[:action].to_sym, instance_variable_get("@#{params[:controller].singularize}") || params[:controller].singularize.camelcase.constantize)
# This method loads the appropriate model resource into an instance variable. For example,
# given an ArticlesController it will load the current article into the @article instance
# variable. It does this by either calling Article.find(params[:id]) or
# Article.new(params[:article]) depending upon the action. It does nothing for the "index"
# action.
#
# You would often use this as a before filter in the controller. See
# load_and_authorize_resource to handle authorization too.
#
# before_filter :load_resource
#
def load_resource
ResourceAuthorization.new(self, params).load_resource
end
# Authorizes the resource in the current instance variable. For example,
# if you have an ArticlesController it will check the @article instance variable
# and ensure the user can perform the current action on it.
# Under the hood it is doing something like the following.
#
# unauthorized! if cannot?(params[:action].to_sym, @article || Article)
#
# You would often use this as a before filter in the controller.
#
# before_filter :authorize_resource
#
# See load_and_authorize_resource to automatically load the resource too.
def authorize_resource
ResourceAuthorization.new(self, params).authorize_resource
end
# Calls load_resource to load the current resource model into an instance variable.
# Then calls authorize_resource to ensure the current user is authorized to access the page.
# You would often use this as a before filter in the controller.
#
# before_filter :load_and_authorize_resource
#
def load_and_authorize_resource
load_resource
authorize_resource
@@ -43,4 +119,4 @@ if defined? ActionController
ActionController::Base.class_eval do
include CanCan::ControllerAdditions
end
end
end

41
lib/cancan/resource_authorization.rb Normal file
View File

@@ -0,0 +1,41 @@
module CanCan
class ResourceAuthorization # :nodoc:
attr_reader :params
def initialize(controller, params)
@controller = controller
@params = params
end
def load_and_authorize_resource
load_resource
authorize_resource
end
def load_resource
self.model_instance = params[:id] ? model_class.find(params[:id]) : model_class.new(params[model_name.to_sym]) unless params[:action] == "index"
end
def authorize_resource
@controller.unauthorized! if @controller.cannot?(params[:action].to_sym, model_instance || model_class)
end
private
def model_name
params[:controller].split('/').last.singularize
end
def model_class
model_name.camelcase.constantize
end
def model_instance
@controller.instance_variable_get("@#{model_name}")
end
def model_instance=(instance)
@controller.instance_variable_set("@#{model_name}", instance)
end
end
end

46
spec/cancan/ability_spec.rb
View File

@@ -78,7 +78,49 @@ describe CanCan::Ability do
@ability.can?(:edit, 123).should == :update_called
end
it "should respond to prepare" do
@ability.should respond_to(:prepare)
it "should not respond to prepare (now using initialize)" do
@ability.should_not respond_to(:prepare)
end
it "should offer cannot? method which is simply invert of can?" do
@ability.cannot?(:tie, String).should be_true
end
it "should be able to specify multiple actions and match any" do
@ability.can [:read, :update], :all
@ability.can?(:read, 123).should be_true
@ability.can?(:update, 123).should be_true
@ability.can?(:count, 123).should be_false
end
it "should be able to specify multiple classes and match any" do
@ability.can :update, [String, Array]
@ability.can?(:update, "foo").should be_true
@ability.can?(:update, []).should be_true
@ability.can?(:update, 123).should be_false
end
it "should support custom objects in the can definition" do
@ability.can :read, :stats
@ability.can?(:read, :stats).should be_true
@ability.can?(:update, :stats).should be_false
@ability.can?(:read, :nonstats).should be_false
end
it "should support 'cannot' method to define what user cannot do" do
@ability.can :read, :all
@ability.cannot :read, Integer
@ability.can?(:read, "foo").should be_true
@ability.can?(:read, 123).should be_false
end
it "should support block on 'cannot' method" do
@ability.can :read, :all
@ability.cannot :read, Integer do |int|
int > 5
end
@ability.can?(:read, "foo").should be_true
@ability.can?(:read, 3).should be_true
@ability.can?(:read, 123).should be_false
end
end

58
spec/cancan/controller_additions_spec.rb
View File

@@ -1,14 +1,11 @@
require File.dirname(__FILE__) + '/../spec_helper'
class Ability
include CanCan::Ability
end
describe CanCan::ControllerAdditions do
before(:each) do
@controller_class = Class.new
@controller = @controller_class.new
mock(@controller_class).helper_method(:can?)
stub(@controller).params { {} }
mock(@controller_class).helper_method(:can?, :cannot?)
@controller_class.send(:include, CanCan::ControllerAdditions)
end
@@ -23,59 +20,26 @@ describe CanCan::ControllerAdditions do
@controller.current_ability.should be_kind_of(Ability)
end
it "should provide a can? method which goes through the current ability" do
it "should provide a can? and cannot? methods which go through the current ability" do
stub(@controller).current_user { :current_user }
@controller.current_ability.should be_kind_of(Ability)
@controller.can?(:foo, :bar).should be_false
@controller.cannot?(:foo, :bar).should be_true
end
it "should load the resource if params[:id] is specified" do
stub(@controller).params { {:controller => "abilities", :action => "show", :id => 123} }
stub(Ability).find(123) { :some_resource }
it "should load resource" do
mock.instance_of(CanCan::ResourceAuthorization).load_resource
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource with hash if params[:id] is not specified" do
stub(@controller).params { {:controller => "abilities", :action => "create", :ability => {:foo => "bar"}} }
stub(Ability).new(:foo => "bar") { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
it "should authorize resource" do
mock.instance_of(CanCan::ResourceAuthorization).authorize_resource
@controller.authorize_resource
end
it "should build a new resource even if attribute hash isn't specified" do
stub(@controller).params { {:controller => "abilities", :action => "new"} }
stub(Ability).new(nil) { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not build a resource when on index action" do
stub(@controller).params { {:controller => "abilities", :action => "index"} }
@controller.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).params { {:controller => "abilities", :action => "show"} }
stub(@controller).can?(:show, :some_resource) { false }
lambda {
@controller.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and non loaded model" do
stub(@controller).params { {:controller => "abilities", :action => "show"} }
stub(@controller).can?(:show, Ability) { false }
lambda {
@controller.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should load and authorize resource in one call" do
it "should load and authorize resource in one call through controller" do
mock(@controller).load_resource
stub(@controller).authorize_resource
mock(@controller).authorize_resource
@controller.load_and_authorize_resource
end
end

59
spec/cancan/resource_authorization_spec.rb Normal file
View File

@@ -0,0 +1,59 @@
require File.dirname(__FILE__) + '/../spec_helper'
describe CanCan::ResourceAuthorization do
before(:each) do
@controller = Object.new # simple stub for now
stub(@controller).unauthorized! { raise CanCan::AccessDenied }
end
it "should load the resource into an instance variable if params[:id] is specified" do
stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should properly load resource for namespaced controller" do
stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource with hash if params[:id] is not specified" do
stub(Ability).new(:foo => "bar") { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource even if attribute hash isn't specified" do
stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not build a resource when on index action" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).cannot?(:show, :some_resource) { true }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda {
authorization.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and non loaded model" do
stub(@controller).cannot?(:show, Ability) { true }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda {
authorization.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
end

7
spec/spec_helper.rb
View File

@@ -9,3 +9,10 @@ require File.dirname(__FILE__) + '/../lib/cancan.rb'
Spec::Runner.configure do |config|
config.mock_with :rr
end
class Ability
include CanCan::Ability
def initialize(user)
end
end