will/cancan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: will:0.1.0
Branches Tags
will:master will:2.0
will:1.6.10 will:1.6.9 will:1.6.8 will:1.6.7 will:1.6.6 will:1.6.5 will:1.6.4 will:1.6.3 will:1.6.2 will:1.6.1 will:1.6.0 will:1.5.1 will:1.5.0 will:1.4.1 will:1.4.0 will:1.3.4 will:1.3.3 will:1.3.2 will:1.3.1 will:1.3.0 will:1.2.0 will:1.1.1 will:1.1 will:1.0.2 will:1.0.1 will:1.0.0 will:0.2.1 will:0.2.0 will:0.1.0
...
compare: will:1.0.0
Branches Tags
will:master will:2.0
will:1.6.10 will:1.6.9 will:1.6.8 will:1.6.7 will:1.6.6 will:1.6.5 will:1.6.4 will:1.6.3 will:1.6.2 will:1.6.1 will:1.6.0 will:1.5.1 will:1.5.0 will:1.4.1 will:1.4.0 will:1.3.4 will:1.3.3 will:1.3.2 will:1.3.1 will:1.3.0 will:1.2.0 will:1.1.1 will:1.1 will:1.0.2 will:1.0.1 will:1.0.0 will:0.2.1 will:0.2.0 will:0.1.0

28 Commits
0.1.0 ... 1.0.0

Author SHA1 Message Date
Ryan Bates
f7480d1f5a releasing gem v1.0.0 (backwards incompatible, see changelog) 2009-12-13 13:47:49 -08:00
Ryan Bates
ffa677b2b0 Don't set resource instance variable if it has been set already - closes #13 2009-12-13 12:32:09 -08:00
Ryan Bates
a75aee751b Allowing :nested option to accept an array for deep nesting 2009-12-13 12:22:05 -08:00
Ryan Bates
51fa61bbae refactoring out resource loading/building logic into separate class 2009-12-13 12:11:02 -08:00
Ryan Bates
cd217eb9cf adding :nested option for load_resource - closes #10 2009-12-13 11:39:02 -08:00
Ryan Bates
94e031bf96 Pass :only and :except options to before filters for load/authorize resource methods. 2009-12-13 11:00:12 -08:00
Ryan Bates
63634b4f5d Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed. 2009-12-13 10:42:10 -08:00
Ryan Bates
a5f98824a0 turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments 2009-12-13 10:03:21 -08:00
Ryan Bates
43947c893d releasing gem v0.2.1 2009-11-26 10:13:22 -08:00
Ryan Bates
e32c5d0dfb calling controller's load_resource and authorize_resource from load_and_authorize_resource to maintain backwards compatability, even though it's not the most efficient way 2009-11-26 09:53:16 -08:00
Ryan Bates
da5a5c031f refactoring out controller logic into separate ResourceAuthorization class - closes #11 2009-11-26 09:29:53 -08:00
Rafael Silva
e92a7d8bf4 Some refactor to be more DRY 2009-11-26 09:38:14 +08:00
Ryan Bates
c40490d672 refactoring ability can? method - closes #12 2009-11-25 17:31:40 -08:00
Ryan Bates
d4405e6070 adding cannot method to define which abilities cannot be done - closes #7 2009-11-25 10:25:58 -08:00
Ryan Bates
e60365505c support custom objects (usually symbols) in can definition - closes #8 2009-11-25 09:55:50 -08:00
Ryan Bates
5bd1a85410 little fixes to inline documentation (rdocs) 2009-11-19 09:46:30 -08:00
Ryan Bates
0ae41f57b8 mentioning wiki in readme 2009-11-18 16:37:10 -08:00
Ryan Bates
b145a98488 linking to the RDocs from README 2009-11-17 17:02:20 -08:00
Ryan Bates
b9227eb971 adding a lot of inline documentation to code for rdocs 2009-11-17 16:56:16 -08:00
Ryan Bates
072cb0f2de fixing spacing issues in README 2009-11-17 12:59:44 -08:00
Ryan Bates
52649a8da1 releasing gem 0.2.0 NOT BACKWARDS COMPATABLE, SEE CHANGELOG 2009-11-17 12:58:42 -08:00
Ryan Bates
15a01a579c fixing behavior of load_and_authorize_resource for namespaced controllers - closes #3 2009-11-17 11:59:59 -08:00
Ryan Bates
766fe86a9f support arrays being passed to 'can' to specify multiple actions or classes - closes #2 2009-11-17 11:46:27 -08:00
Ryan Bates
4322da9d0a expanding readme documentation 2009-11-17 11:22:09 -08:00
Ryan Bates
0f49b5478f adding 'cannot?' method which performs opposite check of 'can?' - closes #1 2009-11-17 10:46:16 -08:00
Ryan Bates
df276536ab adding documentation for testing abilities - closes #6 2009-11-17 10:33:03 -08:00
Ryan Bates
1edf583110 BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - closes #4 2009-11-17 10:25:47 -08:00
Ryan Bates
9d58226563 couple fixes in readme 2009-11-16 22:31:27 -08:00
13 changed files with 765 additions and 168 deletions
Expand all files Collapse all files

37
CHANGELOG.rdoc
View File

@@ -1,3 +1,38 @@
*0.1.0* (Nov 16th, 2009)
1.0.0 (Dec 13, 2009)
* Don't set resource instance variable if it has been set already - see issue #13
* Allowing :nested option to accept an array for deep nesting
* Adding :nested option to load resource method - see issue #10
* Pass :only and :except options to before filters for load/authorize resource methods.
* Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
* BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
0.2.1 (Nov 26, 2009)
* many internal refactorings - see issues #11 and #12
* adding "cannot" method to define which abilities cannot be done - see issue #7
* support custom objects (usually symbols) in can definition - see issue #8
0.2.0 (Nov 17, 2009)
* fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3
* support arrays being passed to "can" to specify multiple actions or classes - see issue #2
* adding "cannot?" method to ability, controller, and view which is inverse of "can?" - see issue #1
* BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - see issue #4
0.1.0 (Nov 16, 2009)
* initial release

132
README.rdoc
View File

@@ -1,33 +1,34 @@
= CanCan
This is a simple authorization solution for Rails which is completely decoupled from how you set up the user's roles. All permissions are stored in a single location for convenience.
This is a simple authorization solution for Ruby on Rails to restrict what a given user is allowed to access in the application. This is completely decoupled from any role based implementation allowing you to define user roles the way you want. All permissions are stored in a single location for convenience.
This assumes you already have an authentication solution (such as Authlogic) which proves a current_user model.
This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
See the RDocs[http://rdoc.info/projects/ryanb/cancan] and Wiki[http://wiki.github.com/ryanb/cancan] for additional documentation.
== Installation
You can set it up as a gem in your environment.rb file.
config.gem "cancan", :source => "http://gemcutter.org"
config.gem "cancan"
And then install the gem.
gem install cancan
sudo rake gems:install
Alternatively you can install it as a Rails plugin.
script/plugin install git://github.com/ryanb/cancan.git
== Setup
== Getting Started
First define a class called Ability, place it in "models/ability.rb".
First, define a class called Ability in "models/ability.rb".
class Ability
include CanCan::Ability
def prepare(user)
def initialize(user)
if user.admin?
can :manage, :all
else
@@ -36,32 +37,32 @@ First define a class called Ability, place it in "models/ability.rb".
end
end
This class is where all permissions will go. See the "Defining Abilities" section below for more information.
This is where all permissions will go. See the "Defining Abilities" section below for more information.
In the view layer you can access the current permissions at any point using the "can?" method. See "Checking Abilities" section below.
You can access the current permissions at any point using the "can?" and "cannot?" methods in the view.
<% if can? :update, @article %>
<%= link_to "Edit", edit_article_path(@article) %>
<% end %>
You can also use this method in the controller layer along with the "unauthorized!" method to restrict access.
You can also use these methods in a controller along with the "unauthorized!" method to restrict access.
def show
@article = Article.find(params[:id])
unauthorized! unless can? :read, @article
unauthorized! if cannot? :read, @article
end
Setting this for every action can be tedious, therefore a before filter is also provided for automatically applying this setting to a RESTful style resource controller.
Setting this for every action can be tedious, therefore the load_and_authorize_resource method is also provided to automatically authorize all actions in a RESTful style resource controller. It will set up a before filter which loads the resource into the instance variable and authorizes it.
class ArticlesController < ApplicationController
before_filter :load_and_authorize_resource
load_and_authorize_resource
def show
# @article is already loaded
end
end
If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior.
If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.
class ApplicationController < ActionController::Base
rescue_from CanCan::AccessDenied, :with => :access_denied
@@ -77,7 +78,7 @@ If the user authorization fails, a CanCan::AccessDenied exception will be raised
== Defining Abilities
As shown above, the Ability#prepare method is where all user permissions are defined. The user model is passed into this method so you are free to modify the permissions based on the user's attributes. This way CanCan is completely decoupled with how you choose to handle roles.
As shown above, the Ability class is where all user permissions are defined. The user model is passed into the initialize method so you are free to modify the permissions based on the user's attributes. This way CanCan is completely decoupled with how you choose to handle roles.
The "can" method accepts two arguments, the first one is the action you're setting the permission for, the second one is the class of object you're setting it on.
@@ -89,7 +90,7 @@ You can pass an array for either of these parameters to match any one.
In this case the user has the ability to update or destroy both articles and comments.
You can pass a block to provide logic based on the article's attributes. For example:
You can pass a block to provide logic based on the article's attributes.
can :update, Article do |article|
article && article.user == user
@@ -111,16 +112,10 @@ You can also pass :manage as the action which will match any action. In this cas
action != :destroy
end
Finally, you can use the "alias_action" method to alias one or more actions into one.
Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
alias_action :update, :destroy, :to => :modify
can :modify, Comment
The following aliases are added by default for conveniently mapping common controller actions.
alias_action :index, :show, :to => :read
alias_action :new, :to => :create
alias_action :edit, :to => :update
can :read, :all
cannot :read, Product
== Checking Abilities
@@ -129,65 +124,84 @@ Use the "can?" method in the controller or view to check the user's permission f
can? :destroy, @project
You can also pass the class instead of an instance (if you don't have one handy). For example:
You can also pass the class instead of an instance (if you don't have one handy).
<% if can? :create, Project %>
<%= link_to "New Project", new_project_path %>
<% end %>
The "cannot?" method is for convenience and performs the opposite check of "can?"
== Custom Actions
cannot? :destroy, @project
There is no limit to what actions you can use to determine abilities. For example, if only pro users are allowed to upload a picture for their product, you might add restrictions like this.
# ability.rb
can :upload_picture, Project if user.pro?
== Aliasing Actions
# projects/_form.html.erb
<%= f.file_field :picture if can? :upload_picture, @project %>
You can use the "alias_action" method to alias one or more actions into one.
# projects_controller.rb
def update
unauthorized! if params[:project][:upload_picture] && !can?(:upload_picture, @project)
# ...
alias_action :update, :destroy, :to => :modify
can :modify, Comment
can? :update, Comment # => true
The following aliases are added by default for conveniently mapping common controller actions.
alias_action :index, :show, :to => :read
alias_action :new, :to => :create
alias_action :edit, :to => :update
== Authorizing Controller Actions
As mentioned in the Getting Started section, you can use the +load_and_authorize_resource+ method in your controller to load the resource into an instance variable and authorize it. If you have a nested resource you can specify that as well.
load_and_authorize_resource :nested => :author
You can also pass an array to the :+nested+ attribute for deep nesting.
If you want to customize the loading behavior on certain actions, you can do so in a before filter.
class BooksController < ApplicationController
before_filter :find_book_by_permalink, :only => :show
load_and_authorize_resource
private
def find_book_by_permalink
@book = Book.find_by_permalink!(params[:id)
end
end
Here the @book instance variable is already set so it will not be loaded again for that action. This works for nested resources as well.
== Customizing Assumptions
== Assumptions & Configuring
CanCan makes two assumptions about your application.
* The permissions are defined in Ability#prepare.
* The user is fetched with current_user method in the controller.
* You have an Ability class which defines the permissions.
* You have a current_user method in the controller which returns the current user model.
You can override these by defining the "current_ability" method in your ApplicationController.
You can override these by overriding the "current_ability" method in your ApplicationController.
def current_ability
ability = UserAbility.new # instead of Ability
ability.prepare(current_account) # instead of current_user
ability # be sure to return the ability
UserAbility.new(current_account) # instead of Ability.new(current_user)
end
That's it!
== Permissions in Database
== Testing Abilities
Perhaps a non-coder needs the ability to modify the user abilities, or you want to change them without having to re-deploy the application. In that case it may be best to store the permission logic in a separate model, let's call it Permission. It is easy to use the database records when defining abilities.
It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
For example, let's assume that each user has_many :permissions, and each permission has "action", "object_type" and "object_id" columns. The last of which is optional.
class Ability
include CanCan::Ability
def prepare(user)
can :manage, :all do |action, object_class, object|
user.permissions.find_all_by_action(action).any? do |permission|
permission.object_type.constantize == object_class &&
(object.nil? || permission.object_id.nil? || permission.object_id == object.id)
end
end
end
def test "user can only destroy projects which he owns"
user = User.new
ability = Ability.new(user)
assert ability.can?(:destroy, Project.new(:user => user))
assert ability.cannot?(:destroy, Project.new)
end
The actual details will depend largely on your application requirements, but hopefully you can see how it's possible to define permissions in the database and use them with CanCan.
== Special Thanks
CanCan was inspired by declarative_authorization[http://github.com/stffn/declarative_authorization/] and aegis[http://github.com/makandra/aegis]. Many thanks to the authors and contributors.

4
cancan.gemspec
View File

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
s.homepage = "http://github.com/ryanb/cancan"
s.version = "0.1.0"
s.date = "2009-11-16"
s.version = "1.0.0"
s.date = "2009-12-13"
s.authors = ["Ryan Bates"]
s.email = "ryan@railscasts.com"

4
lib/cancan.rb
View File

@@ -1,6 +1,10 @@
module CanCan
# This error is raised when a user isn't allowed to access a given
# controller action. See ControllerAdditions#unauthorized! for details.
class AccessDenied < StandardError; end
end
require File.dirname(__FILE__) + '/cancan/ability'
require File.dirname(__FILE__) + '/cancan/controller_resource'
require File.dirname(__FILE__) + '/cancan/resource_authorization'
require File.dirname(__FILE__) + '/cancan/controller_additions'

205
lib/cancan/ability.rb
View File

@@ -1,43 +1,168 @@
module CanCan
# This module is designed to be included into an Ability class. This will
# provide the "can" methods for defining and checking abilities.
#
# class Ability
# include CanCan::Ability
#
# def initialize(user)
# if user.admin?
# can :manage, :all
# else
# can :read, :all
# end
# end
# end
#
module Ability
attr_accessor :user
def can?(original_action, target) # TODO this could use some refactoring
(@can_history || []).reverse.each do |can_action, can_target, can_block|
possible_actions_for(original_action).each do |action|
if (can_action == :manage || can_action == action) && (can_target == :all || can_target == target || target.kind_of?(can_target))
if can_block.nil?
return true
else
block_args = []
block_args << action if can_action == :manage
block_args << (target.class == Class ? target : target.class) if can_target == :all
block_args << (target.class == Class ? nil : target)
return can_block.call(*block_args)
end
end
# Use to check the user's permission for a given action and object.
#
# can? :destroy, @project
#
# You can also pass the class instead of an instance (if you don't have one handy).
#
# can? :create, Project
#
# Not only can you use the can? method in the controller and view (see ControllerAdditions),
# but you can also call it directly on an ability instance.
#
# ability.can? :destroy, @project
#
# This makes testing a user's abilities very easy.
#
# def test "user can only destroy projects which he owns"
# user = User.new
# ability = Ability.new(user)
# assert ability.can?(:destroy, Project.new(:user => user))
# assert ability.cannot?(:destroy, Project.new)
# end
#
def can?(action, noun)
(@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
defined_actions = expand_actions(defined_action)
defined_nouns = [defined_noun].flatten
if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
return base_behavior ? result : !result
end
end
false
end
def possible_actions_for(initial_action)
actions = [initial_action]
(@aliased_actions || default_alias_actions).each do |target, aliases|
actions += possible_actions_for(target) if aliases.include? initial_action
end
actions
# Convenience method which works the same as "can?" but returns the opposite value.
#
# cannot? :destroy, @project
#
def cannot?(*args)
!can?(*args)
end
def can(action, target, &block)
@can_history ||= []
@can_history << [action, target, block]
# Defines which abilities are allowed using two arguments. The first one is the action
# you're setting the permission for, the second one is the class of object you're setting it on.
#
# can :update, Article
#
# You can pass an array for either of these parameters to match any one.
#
# can [:update, :destroy], [Article, Comment]
#
# In this case the user has the ability to update or destroy both articles and comments.
#
# You can pass a block to provide logic based on the article's attributes.
#
# can :update, Article do |article|
# article && article.user == user
# end
#
# If the block returns true then the user has that :update ability for that article, otherwise he
# will be denied access. It's possible for the passed in model to be nil if one isn't specified,
# so be sure to take that into consideration.
#
# You can pass :all to reference every type of object. In this case the object type will be passed
# into the block as well (just in case object is nil).
#
# can :read, :all do |object_class, object|
# object_class != Order
# end
#
# Here the user has permission to read all objects except orders.
#
# You can also pass :manage as the action which will match any action. In this case the action is
# passed to the block.
#
# can :manage, Comment do |action, comment|
# action != :destroy
# end
#
# You can pass custom objects into this "can" method, this is usually done through a symbol
# and is useful if a class isn't available to define permissions on.
#
# can :read, :stats
# can? :read, :stats # => true
#
def can(action, noun, &block)
@can_definitions ||= []
@can_definitions << [true, action, noun, block]
end
# Define an ability which cannot be done. Accepts the same arguments as "can".
#
# can :read, :all
# cannot :read, Comment
#
# A block can be passed just like "can", however if the logic is complex it is recommended
# to use the "can" method.
#
# cannot :read, Product do |product|
# product.invisible?
# end
#
def cannot(action, noun, &block)
@can_definitions ||= []
@can_definitions << [false, action, noun, block]
end
# Alias one or more actions into another one.
#
# alias_action :update, :destroy, :to => :modify
# can :modify, Comment
#
# Then :modify permission will apply to both :update and :destroy requests.
#
# can? :update, Comment # => true
# can? :destroy, Comment # => true
#
# This only works in one direction. Passing the aliased action into the "can?" call
# will not work because aliases are meant to generate more generic actions.
#
# alias_action :update, :destroy, :to => :modify
# can :update, Comment
# can? :modify, Comment # => false
#
# Unless that exact alias is used.
#
# can :modify, Comment
# can? :modify, Comment # => true
#
# The following aliases are added by default for conveniently mapping common controller actions.
#
# alias_action :index, :show, :to => :read
# alias_action :new, :to => :create
# alias_action :edit, :to => :update
#
# This way one can use params[:action] in the controller to determine the permission.
def alias_action(*args)
@aliased_actions ||= default_alias_actions
target = args.pop[:to]
@aliased_actions[target] = args
aliased_actions[target] = args
end
private
def aliased_actions
@aliased_actions ||= default_alias_actions
end
def default_alias_actions
@@ -48,8 +173,34 @@ module CanCan
}
end
def prepare(user)
# to be overriden by included class
def expand_actions(actions)
[actions].flatten.map do |action|
if aliased_actions[action]
[action, *aliased_actions[action]]
else
action
end
end.flatten
end
def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
if defined_block.nil?
true
else
block_args = []
block_args << action if defined_actions.include?(:manage)
block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
block_args << (noun.class == Class ? nil : noun)
return defined_block.call(*block_args)
end
end
def includes_action?(actions, action)
actions.include?(:manage) || actions.include?(action)
end
def includes_noun?(nouns, noun)
nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
end
end
end

180
lib/cancan/controller_additions.rb
View File

@@ -1,40 +1,176 @@
module CanCan
# This module is automatically included into all controllers.
# It also makes the "can?" and "cannot?" methods available to all views.
module ControllerAdditions
def self.included(base)
base.helper_method :can?
module ClassMethods
# Sets up a before filter which loads and authorizes the current resource. This performs both
# load_resource and authorize_resource and accepts the same arguments. See those methods for details.
#
# class BooksController < ApplicationController
# load_and_authorize_resource
# end
#
def load_and_authorize_resource(options = {})
before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_and_authorize_resource }
end
# Sets up a before filter which loads the appropriate model resource into an instance variable.
# For example, given an ArticlesController it will load the current article into the @article
# instance variable. It does this by either calling Article.find(params[:id]) or
# Article.new(params[:article]) depending upon the action. It does nothing for the "index"
# action.
#
# Call this method directly on the controller class.
#
# class BooksController < ApplicationController
# load_resource
# end
#
# A resource is not loaded if the instance variable is already set. This makes it easy to override
# the behavior through a before_filter on certain actions.
#
# class BooksController < ApplicationController
# before_filter :find_book_by_permalink, :only => :show
# load_resource
#
# private
#
# def find_book_by_permalink
# @book = Book.find_by_permalink!(params[:id)
# end
# end
#
# See load_and_authorize_resource to automatically authorize the resource too.
#
# Options:
# [:+only+]
# Only applies before filter to given actions.
#
# [:+except+]
# Does not apply before filter to given actions.
#
# [:+nested+]
# Specify which resource this is nested under.
#
# load_resource :nested => :author
#
# Deep nesting can be defined in an array.
#
# load_resource :nested => [:publisher, :author]
#
# [:+collection+]
# Specify which actions are resource collection actions in addition to :+index+. This
# is usually not necessary because it will try to guess depending on if an :+id+
# is present in +params+.
#
# load_resource :collection => [:sort, :list]
#
# [:+new+]
# Specify which actions are new resource actions in addition to :+new+ and :+create+.
# Pass an action name into here if you would like to build a new resource instead of
# fetch one.
#
# load_resource :new => :build
#
def load_resource(options = {})
before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_resource }
end
# Sets up a before filter which authorizes the current resource using the instance variable.
# For example, if you have an ArticlesController it will check the @article instance variable
# and ensure the user can perform the current action on it. Under the hood it is doing
# something like the following.
#
# unauthorized! if cannot?(params[:action].to_sym, @article || Article)
#
# Call this method directly on the controller class.
#
# class BooksController < ApplicationController
# authorize_resource
# end
#
# See load_and_authorize_resource to automatically load the resource too.
#
# Options:
# [:+only+]
# Only applies before filter to given actions.
#
# [:+except+]
# Does not apply before filter to given actions.
#
def authorize_resource(options = {})
before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).authorize_resource }
end
end
def self.included(base)
base.extend ClassMethods
base.helper_method :can?, :cannot?
end
# Raises the CanCan::AccessDenied exception. This is often used in a
# controller action to mark a request as unauthorized.
#
# def show
# @article = Article.find(params[:id])
# unauthorized! if cannot? :read, @article
# end
#
# You can rescue from the exception in the controller to specify
# the user experience.
#
# class ApplicationController < ActionController::Base
# rescue_from CanCan::AccessDenied, :with => :access_denied
#
# protected
#
# def access_denied
# flash[:error] = "Sorry, you are not allowed to access that page."
# redirect_to root_url
# end
# end
#
# See the load_and_authorize_resource method to automatically add
# the "unauthorized!" behavior to a RESTful controller's actions.
def unauthorized!
raise AccessDenied, "You are unable to access this page."
end
# Creates and returns the current user's ability. You generally do not invoke
# this method directly, instead you can override this method to change its
# behavior if the Ability class or current_user method are different.
#
# def current_ability
# UserAbility.new(current_account) # instead of Ability.new(current_user)
# end
#
def current_ability
ability = ::Ability.new
ability.prepare(current_user)
ability
::Ability.new(current_user)
end
# Use in the controller or view to check the user's permission for a given action
# and object.
#
# can? :destroy, @project
#
# You can also pass the class instead of an instance (if you don't have one handy).
#
# <% if can? :create, Project %>
# <%= link_to "New Project", new_project_path %>
# <% end %>
#
# This simply calls "can?" on the current_ability. See Ability#can?.
def can?(*args)
(@current_ability ||= current_ability).can?(*args)
end
def load_resource # TODO this could use some refactoring
unless params[:action] == "index"
if params[:id]
instance_variable_set("@#{params[:controller].singularize}", params[:controller].singularize.camelcase.constantize.find(params[:id]))
else
instance_variable_set("@#{params[:controller].singularize}", params[:controller].singularize.camelcase.constantize.new(params[params[:controller].singularize.to_sym]))
end
end
end
def authorize_resource # TODO this could use some refactoring
unauthorized! unless can?(params[:action].to_sym, instance_variable_get("@#{params[:controller].singularize}") || params[:controller].singularize.camelcase.constantize)
end
def load_and_authorize_resource
load_resource
authorize_resource
# Convenience method which works the same as "can?" but returns the opposite value.
#
# cannot? :destroy, @project
#
def cannot?(*args)
(@current_ability ||= current_ability).cannot?(*args)
end
end
end

39
lib/cancan/controller_resource.rb Normal file
View File

@@ -0,0 +1,39 @@
module CanCan
class ControllerResource # :nodoc:
def initialize(controller, name, parent = nil)
@controller = controller
@name = name
@parent = parent
end
def model_class
@name.to_s.camelize.constantize
end
def find(id)
self.model_instance ||= base.find(id)
end
def build(attributes)
if base.kind_of? Class
self.model_instance ||= base.new(attributes)
else
self.model_instance ||= base.build(attributes)
end
end
def model_instance
@controller.instance_variable_get("@#{@name}")
end
def model_instance=(instance)
@controller.instance_variable_set("@#{@name}", instance)
end
private
def base
@parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
end
end
end

57
lib/cancan/resource_authorization.rb Normal file
View File

@@ -0,0 +1,57 @@
module CanCan
class ResourceAuthorization # :nodoc:
attr_reader :params
def initialize(controller, params, options = {})
@controller = controller
@params = params
@options = options
end
def load_and_authorize_resource
load_resource
authorize_resource
end
def load_resource
unless collection_actions.include? params[:action].to_sym
if new_actions.include? params[:action].to_sym
resource.build(params[model_name.to_sym])
elsif params[:id]
resource.find(params[:id])
end
end
end
def authorize_resource
@controller.unauthorized! if @controller.cannot?(params[:action].to_sym, resource.model_instance || resource.model_class)
end
private
def resource
@resource ||= ControllerResource.new(@controller, model_name, parent_resource)
end
def parent_resource
parent = nil
[@options[:nested]].flatten.compact.each do |name|
parent = ControllerResource.new(@controller, name, parent)
parent.find(@params["#{name}_id".to_sym])
end
parent
end
def model_name
params[:controller].split('/').last.singularize
end
def collection_actions
[:index] + [@options[:collection]].flatten
end
def new_actions
[:new, :create] + [@options[:new]].flatten
end
end
end

46
spec/cancan/ability_spec.rb
View File

@@ -78,7 +78,49 @@ describe CanCan::Ability do
@ability.can?(:edit, 123).should == :update_called
end
it "should respond to prepare" do
@ability.should respond_to(:prepare)
it "should not respond to prepare (now using initialize)" do
@ability.should_not respond_to(:prepare)
end
it "should offer cannot? method which is simply invert of can?" do
@ability.cannot?(:tie, String).should be_true
end
it "should be able to specify multiple actions and match any" do
@ability.can [:read, :update], :all
@ability.can?(:read, 123).should be_true
@ability.can?(:update, 123).should be_true
@ability.can?(:count, 123).should be_false
end
it "should be able to specify multiple classes and match any" do
@ability.can :update, [String, Array]
@ability.can?(:update, "foo").should be_true
@ability.can?(:update, []).should be_true
@ability.can?(:update, 123).should be_false
end
it "should support custom objects in the can definition" do
@ability.can :read, :stats
@ability.can?(:read, :stats).should be_true
@ability.can?(:update, :stats).should be_false
@ability.can?(:read, :nonstats).should be_false
end
it "should support 'cannot' method to define what user cannot do" do
@ability.can :read, :all
@ability.cannot :read, Integer
@ability.can?(:read, "foo").should be_true
@ability.can?(:read, 123).should be_false
end
it "should support block on 'cannot' method" do
@ability.can :read, :all
@ability.cannot :read, Integer do |int|
int > 5
end
@ability.can?(:read, "foo").should be_true
@ability.can?(:read, 3).should be_true
@ability.can?(:read, 123).should be_false
end
end

66
spec/cancan/controller_additions_spec.rb
View File

@@ -1,14 +1,11 @@
require File.dirname(__FILE__) + '/../spec_helper'
class Ability
include CanCan::Ability
end
describe CanCan::ControllerAdditions do
before(:each) do
@controller_class = Class.new
@controller = @controller_class.new
mock(@controller_class).helper_method(:can?)
stub(@controller).params { {} }
mock(@controller_class).helper_method(:can?, :cannot?)
@controller_class.send(:include, CanCan::ControllerAdditions)
end
@@ -23,59 +20,28 @@ describe CanCan::ControllerAdditions do
@controller.current_ability.should be_kind_of(Ability)
end
it "should provide a can? method which goes through the current ability" do
it "should provide a can? and cannot? methods which go through the current ability" do
stub(@controller).current_user { :current_user }
@controller.current_ability.should be_kind_of(Ability)
@controller.can?(:foo, :bar).should be_false
@controller.cannot?(:foo, :bar).should be_true
end
it "should load the resource if params[:id] is specified" do
stub(@controller).params { {:controller => "abilities", :action => "show", :id => 123} }
stub(Ability).find(123) { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
@controller_class.load_and_authorize_resource :foo => :bar
end
it "should build a new resource with hash if params[:id] is not specified" do
stub(@controller).params { {:controller => "abilities", :action => "create", :ability => {:foo => "bar"}} }
stub(Ability).new(:foo => "bar") { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
@controller_class.authorize_resource :foo => :bar, :except => :show
end
it "should build a new resource even if attribute hash isn't specified" do
stub(@controller).params { {:controller => "abilities", :action => "new"} }
stub(Ability).new(nil) { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not build a resource when on index action" do
stub(@controller).params { {:controller => "abilities", :action => "index"} }
@controller.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).params { {:controller => "abilities", :action => "show"} }
stub(@controller).can?(:show, :some_resource) { false }
lambda {
@controller.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and non loaded model" do
stub(@controller).params { {:controller => "abilities", :action => "show"} }
stub(@controller).can?(:show, Ability) { false }
lambda {
@controller.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should load and authorize resource in one call" do
mock(@controller).load_resource
stub(@controller).authorize_resource
@controller.load_and_authorize_resource
it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
@controller_class.load_resource :foo => :bar, :only => [:show, :index]
end
end

43
spec/cancan/controller_resource_spec.rb Normal file
View File

@@ -0,0 +1,43 @@
require File.dirname(__FILE__) + '/../spec_helper'
describe CanCan::ControllerResource do
before(:each) do
@controller = Object.new
end
it "should determine model class by constantizing give name" do
CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
end
it "should fetch model through model class and assign it to the instance" do
stub(Ability).find(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should fetch model through parent and assign it to the instance" do
parent = Object.new
stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should build model through model class and assign it to the instance" do
stub(Ability).new(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability).build(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should build model through parent and assign it to the instance" do
parent = Object.new
stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should not load resource if instance variable is already provided" do
@controller.instance_variable_set(:@ability, :some_ability)
CanCan::ControllerResource.new(@controller, :ability).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
end

99
spec/cancan/resource_authorization_spec.rb Normal file
View File

@@ -0,0 +1,99 @@
require File.dirname(__FILE__) + '/../spec_helper'
describe CanCan::ResourceAuthorization do
before(:each) do
@controller = Object.new # simple stub for now
stub(@controller).unauthorized! { raise CanCan::AccessDenied }
end
it "should load the resource into an instance variable if params[:id] is specified" do
stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should properly load resource for namespaced controller" do
stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource with hash if params[:id] is not specified" do
stub(Ability).new(:foo => "bar") { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource even if attribute hash isn't specified" do
stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not build a resource when on index action" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).cannot?(:show, :some_resource) { true }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda {
authorization.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and non loaded model" do
stub(@controller).cannot?(:show, Ability) { true }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda {
authorization.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should call load_resource and authorize_resource for load_and_authorize_resource" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
mock(authorization).load_resource
mock(authorization).authorize_resource
authorization.load_and_authorize_resource
end
it "should not build a resource when on custom collection action" do
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should build a resource when on custom new action even when params[:id] exists" do
stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not try to load resource for other action if params[:id] is undefined" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should load nested resource and fetch other resource through the association" do
stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should load nested resource and build resource through a deep association" do
stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_ability
end
end

11
spec/spec_helper.rb
View File

@@ -9,3 +9,14 @@ require File.dirname(__FILE__) + '/../lib/cancan.rb'
Spec::Runner.configure do |config|
config.mock_with :rr
end
class Ability
include CanCan::Ability
def initialize(user)
end
end
# this class helps out in testing nesting
class Person
end