releasing gem v0.2.1

CHANGELOG.rdoc

@@ -1,3 +1,11 @@
+0.2.1 (Nov 26, 2009)
+
+* many internal refactorings - see issues #11 and #12
+
+* adding "cannot" method to define which abilities cannot be done - see issue #7
+
+* support custom objects (usually symbols) in can definition - see issue #8
+
 0.2.0 (Nov 17, 2009)
 
 * fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3

README.rdoc

@@ -4,6 +4,7 @@ This is a simple authorization solution for Ruby on Rails to restrict what a giv
 
 This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
 
+See the RDocs[http://rdoc.info/projects/ryanb/cancan] and Wiki[http://wiki.github.com/ryanb/cancan] for additional documentation.
 
 == Installation
 
@@ -111,16 +112,10 @@ You can also pass :manage as the action which will match any action. In this cas
     action != :destroy
   end
   
-Finally, you can use the "alias_action" method to alias one or more actions into one.
+Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
 
-  alias_action :update, :destroy, :to => :modify
+  can :read, :all
-  can :modify, Comment
+  cannot :read, Product
-
-The following aliases are added by default for conveniently mapping common controller actions.
-
-  alias_action :index, :show, :to => :read
-  alias_action :new, :to => :create
-  alias_action :edit, :to => :update
 
 
 == Checking Abilities
@@ -140,21 +135,19 @@ The "cannot?" method is for convenience and performs the opposite check of "can?
   cannot? :destroy, @project
 
 
-== Custom Actions
+== Aliasing Actions
 
-You can have fine grained control over abilities by coming up with new actions. For example, if only pro users are allowed to upload a picture for their product, you could add the following restrictions.
+You can use the "alias_action" method to alias one or more actions into one.
 
-  # ability.rb
+  alias_action :update, :destroy, :to => :modify
-  can :upload_picture, Project if user.pro?
+  can :modify, Comment
+  can? :update, Comment # => true
 
-  # projects/_form.html.erb
+The following aliases are added by default for conveniently mapping common controller actions.
-  <%= f.file_field :picture if can? :upload_picture, @project %>
 
-  # projects_controller.rb
+  alias_action :index, :show, :to => :read
-  def update
+  alias_action :new, :to => :create
-    unauthorized! if params[:project][:upload_picture] && cannot?(:upload_picture, @project)
+  alias_action :edit, :to => :update
-    # ...
-  end
 
 
 == Assumptions & Configuring
@@ -173,48 +166,16 @@ You can override these by overriding the "current_ability" method in your Applic
 That's it!
 
 
-== Permissions in Database
-
-Perhaps a non-coder needs the ability to modify the user abilities, or you want to change them without having to re-deploy the application. In that case it may be best to store the permission logic in a separate model, let's call it Permission. It is easy to use the database records when defining abilities.
-
-For example, let's assume that each user has_many :permissions, and each permission has "action", "object_type" and "object_id" columns. The last of which is optional.
-
-  class Ability
-    include CanCan::Ability
-  
-    def initialize(user)
-      can :manage, :all do |action, object_class, object|
-        user.permissions.find_all_by_action(action).any? do |permission|
-          permission.object_type == object_class.to_s &&
-            (object.nil? || permission.object_id.nil? || permission.object_id == object.id)
-        end
-      end
-    end
-  end
-
-An alternatie approach is to define a separate "can" ability for each permission.
-
-  def initialize(user)
-		user.permissions.each do |permission|
-		  can permission.action, permission.object_type.constantize do |object|
-		    object.nil? || permission.object_id.nil? || permission.object_id == object.id
-		  end
-		end
-	end
-
-The actual details will depend largely on your application requirements, but hopefully you can see how it's possible to define permissions in the database and use them with CanCan.
-
-
 == Testing Abilities
 
 It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
 
-def test "user can only destroy projects which he owns"
+  def test "user can only destroy projects which he owns"
-  user = User.new
+    user = User.new
-  ability = Ability.new(user)
+    ability = Ability.new(user)
-  assert ability.can?(:destroy, Project.new(:user => user))
+    assert ability.can?(:destroy, Project.new(:user => user))
-  assert ability.cannot?(:destroy, Project.new)
+    assert ability.cannot?(:destroy, Project.new)
-end
+  end
 
 
 == Special Thanks

cancan.gemspec

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
   s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
   s.homepage = "http://github.com/ryanb/cancan"
   
-  s.version = "0.2.0"
+  s.version = "0.2.1"
-  s.date = "2009-11-17"
+  s.date = "2009-11-26"
   
   s.authors = ["Ryan Bates"]
   s.email = "ryan@railscasts.com"

lib/cancan.rb

@@ -1,6 +1,9 @@
 module CanCan
+  # This error is raised when a user isn't allowed to access a given
+  # controller action. See ControllerAdditions#unauthorized! for details.
   class AccessDenied < StandardError; end
 end
 
 require File.dirname(__FILE__) + '/cancan/ability'
+require File.dirname(__FILE__) + '/cancan/resource_authorization'
 require File.dirname(__FILE__) + '/cancan/controller_additions'

lib/cancan/ability.rb

@@ -1,49 +1,168 @@
 module CanCan
+  
+  # This module is designed to be included into an Ability class. This will
+  # provide the "can" methods for defining and checking abilities.
+  # 
+  #   class Ability
+  #     include CanCan::Ability
+  #
+  #     def initialize(user)
+  #       if user.admin?
+  #         can :manage, :all
+  #       else
+  #         can :read, :all
+  #       end
+  #     end
+  #   end
+  # 
   module Ability
     attr_accessor :user
 
-    def can?(original_action, target) # TODO this could use some refactoring
+    # Use to check the user's permission for a given action and object.
-      (@can_history || []).reverse.each do |can_action, can_target, can_block|
+    # 
-        can_actions = [can_action].flatten
+    #   can? :destroy, @project
-        can_targets = [can_target].flatten
+    # 
-        possible_actions_for(original_action).each do |action|
+    # You can also pass the class instead of an instance (if you don't have one handy).
-          if (can_actions.include?(:manage) || can_actions.include?(action)) && (can_targets.include?(:all) || can_targets.include?(target) || can_targets.any? { |c| target.kind_of?(c) })
+    # 
-            if can_block.nil?
+    #   can? :create, Project
-              return true
+    # 
-            else
+    # Not only can you use the can? method in the controller and view (see ControllerAdditions), 
-              block_args = []
+    # but you can also call it directly on an ability instance.
-              block_args << action if can_actions.include?(:manage)
+    # 
-              block_args << (target.class == Class ? target : target.class) if can_targets.include?(:all)
+    #   ability.can? :destroy, @project
-              block_args << (target.class == Class ? nil : target)
+    # 
-              return can_block.call(*block_args)
+    # This makes testing a user's abilities very easy.
-            end
+    # 
-          end
+    #   def test "user can only destroy projects which he owns"
+    #     user = User.new
+    #     ability = Ability.new(user)
+    #     assert ability.can?(:destroy, Project.new(:user => user))
+    #     assert ability.cannot?(:destroy, Project.new)
+    #   end
+    # 
+    def can?(action, noun)
+      (@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
+        defined_actions = expand_actions(defined_action)
+        defined_nouns = [defined_noun].flatten
+        if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
+          result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+          return base_behavior ? result : !result
         end
       end
       false
     end
     
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    # 
+    #   cannot? :destroy, @project
+    # 
     def cannot?(*args)
       !can?(*args)
     end
     
-    def possible_actions_for(initial_action)
+    # Defines which abilities are allowed using two arguments. The first one is the action
-      actions = [initial_action]
+    # you're setting the permission for, the second one is the class of object you're setting it on.
-      (@aliased_actions || default_alias_actions).each do |target, aliases|
+    # 
-        actions += possible_actions_for(target) if aliases.include? initial_action
+    #   can :update, Article
-      end
+    # 
-      actions
+    # You can pass an array for either of these parameters to match any one.
+    #
+    #   can [:update, :destroy], [Article, Comment]
+    #
+    # In this case the user has the ability to update or destroy both articles and comments.
+    #
+    # You can pass a block to provide logic based on the article's attributes.
+    #
+    #   can :update, Article do |article|
+    #     article && article.user == user
+    #   end
+    # 
+    # If the block returns true then the user has that :update ability for that article, otherwise he
+    # will be denied access. It's possible for the passed in model to be nil if one isn't specified,
+    # so be sure to take that into consideration.
+    # 
+    # You can pass :all to reference every type of object. In this case the object type will be passed
+    # into the block as well (just in case object is nil).
+    # 
+    #   can :read, :all do |object_class, object|
+    #     object_class != Order
+    #   end
+    # 
+    # Here the user has permission to read all objects except orders.
+    # 
+    # You can also pass :manage as the action which will match any action. In this case the action is 
+    # passed to the block.
+    # 
+    #   can :manage, Comment do |action, comment|
+    #     action != :destroy
+    #   end
+    # 
+    # You can pass custom objects into this "can" method, this is usually done through a symbol
+    # and is useful if a class isn't available to define permissions on.
+    # 
+    #   can :read, :stats
+    #   can? :read, :stats # => true
+    # 
+    def can(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [true, action, noun, block]
     end
     
-    def can(action, target, &block)
+    # Define an ability which cannot be done. Accepts the same arguments as "can".
-      @can_history ||= []
+    # 
-      @can_history << [action, target, block]
+    #   can :read, :all
+    #   cannot :read, Comment
+    # 
+    # A block can be passed just like "can", however if the logic is complex it is recommended
+    # to use the "can" method.
+    # 
+    #   cannot :read, Product do |product|
+    #     product.invisible?
+    #   end
+    # 
+    def cannot(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [false, action, noun, block]
     end
     
+    # Alias one or more actions into another one.
+    # 
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :modify, Comment
+    # 
+    # Then :modify permission will apply to both :update and :destroy requests.
+    # 
+    #   can? :update, Comment # => true
+    #   can? :destroy, Comment # => true
+    # 
+    # This only works in one direction. Passing the aliased action into the "can?" call
+    # will not work because aliases are meant to generate more generic actions.
+    # 
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :update, Comment
+    #   can? :modify, Comment # => false
+    # 
+    # Unless that exact alias is used.
+    # 
+    #   can :modify, Comment
+    #   can? :modify, Comment # => true
+    # 
+    # The following aliases are added by default for conveniently mapping common controller actions.
+    # 
+    #   alias_action :index, :show, :to => :read
+    #   alias_action :new, :to => :create
+    #   alias_action :edit, :to => :update
+    # 
+    # This way one can use params[:action] in the controller to determine the permission.
     def alias_action(*args)
-      @aliased_actions ||= default_alias_actions
       target = args.pop[:to]
-      @aliased_actions[target] = args
+      aliased_actions[target] = args
+    end
+    
+    private
+    
+    def aliased_actions
+      @aliased_actions ||= default_alias_actions
     end
     
     def default_alias_actions
@@ -53,5 +172,35 @@ module CanCan
         :update => [:edit],
       }
     end
+    
+    def expand_actions(actions)
+      [actions].flatten.map do |action|
+        if aliased_actions[action]
+          [action, *aliased_actions[action]]
+        else
+          action
+        end
+      end.flatten
+    end
+    
+    def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+      if defined_block.nil?
+        true
+      else
+        block_args = []
+        block_args << action if defined_actions.include?(:manage)
+        block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
+        block_args << (noun.class == Class ? nil : noun)
+        return defined_block.call(*block_args)
+      end
+    end
+    
+    def includes_action?(actions, action)
+      actions.include?(:manage) || actions.include?(action)
+    end
+    
+    def includes_noun?(nouns, noun)
+      nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
+    end
   end
 end

lib/cancan/controller_additions.rb

@@ -1,41 +1,113 @@
 module CanCan
+  
+  # This module is automatically included into all controllers.
+  # It also makes the "can?" and "cannot?" methods available to all views.
   module ControllerAdditions
     def self.included(base)
       base.helper_method :can?, :cannot?
     end
     
+    # Raises the CanCan::AccessDenied exception. This is often used in a
+    # controller action to mark a request as unauthorized.
+    # 
+    #   def show
+    #     @article = Article.find(params[:id])
+    #     unauthorized! if cannot? :read, @article
+    #   end
+    # 
+    # You can rescue from the exception in the controller to specify
+    # the user experience.
+    # 
+    #   class ApplicationController < ActionController::Base
+    #     rescue_from CanCan::AccessDenied, :with => :access_denied
+    #   
+    #     protected
+    #   
+    #     def access_denied
+    #       flash[:error] = "Sorry, you are not allowed to access that page."
+    #       redirect_to root_url
+    #     end
+    #   end
+    # 
+    # See the load_and_authorize_resource method to automatically add
+    # the "unauthorized!" behavior to a RESTful controller's actions.
     def unauthorized!
       raise AccessDenied, "You are unable to access this page."
     end
     
+    # Creates and returns the current user's ability. You generally do not invoke
+    # this method directly, instead you can override this method to change its
+    # behavior if the Ability class or current_user method are different.
+    # 
+    #   def current_ability
+    #     UserAbility.new(current_account) # instead of Ability.new(current_user)
+    #   end
+    # 
     def current_ability
       ::Ability.new(current_user)
     end
     
+    # Use in the controller or view to check the user's permission for a given action
+    # and object.
+    # 
+    #   can? :destroy, @project
+    # 
+    # You can also pass the class instead of an instance (if you don't have one handy).
+    # 
+    #   <% if can? :create, Project %>
+    #     <%= link_to "New Project", new_project_path %>
+    #   <% end %>
+    # 
+    # This simply calls "can?" on the current_ability. See Ability#can?.
     def can?(*args)
       (@current_ability ||= current_ability).can?(*args)
     end
     
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    # 
+    #   cannot? :destroy, @project
+    # 
     def cannot?(*args)
       (@current_ability ||= current_ability).cannot?(*args)
     end
     
-    def load_resource # TODO this could use some refactoring
+    # This method loads the appropriate model resource into an instance variable. For example,
-      model_name = params[:controller].split('/').last.singularize
+    # given an ArticlesController it will load the current article into the @article instance
-      unless params[:action] == "index"
+    # variable. It does this by either calling Article.find(params[:id]) or
-        if params[:id]
+    # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
-          instance_variable_set("@#{model_name}", model_name.camelcase.constantize.find(params[:id]))
+    # action.
-        else
+    # 
-          instance_variable_set("@#{model_name}", model_name.camelcase.constantize.new(params[model_name.to_sym]))
+    # You would often use this as a before filter in the controller. See
-        end
+    # load_and_authorize_resource to handle authorization too.
-      end
+    # 
+    #   before_filter :load_resource
+    # 
+    def load_resource
+      ResourceAuthorization.new(self, params).load_resource
     end
     
-    def authorize_resource # TODO this could use some refactoring
+    # Authorizes the resource in the current instance variable. For example,
-      model_name = params[:controller].split('/').last.singularize
+    # if you have an ArticlesController it will check the @article instance variable
-      unauthorized! unless can?(params[:action].to_sym, instance_variable_get("@#{model_name}") || model_name.camelcase.constantize)
+    # and ensure the user can perform the current action on it.
+    # Under the hood it is doing something like the following.
+    # 
+    #   unauthorized! if cannot?(params[:action].to_sym, @article || Article)
+    # 
+    # You would often use this as a before filter in the controller.
+    # 
+    #   before_filter :authorize_resource
+    # 
+    # See load_and_authorize_resource to automatically load the resource too.
+    def authorize_resource
+      ResourceAuthorization.new(self, params).authorize_resource
     end
     
+    # Calls load_resource to load the current resource model into an instance variable. 
+    # Then calls authorize_resource to ensure the current user is authorized to access the page. 
+    # You would often use this as a before filter in the controller.
+    # 
+    #   before_filter :load_and_authorize_resource
+    # 
     def load_and_authorize_resource
       load_resource
       authorize_resource

lib/cancan/resource_authorization.rb

@@ -0,0 +1,41 @@
+module CanCan
+  class ResourceAuthorization # :nodoc:
+    attr_reader :params
+    
+    def initialize(controller, params)
+      @controller = controller
+      @params = params
+    end
+    
+    def load_and_authorize_resource
+      load_resource
+      authorize_resource
+    end
+    
+    def load_resource
+      self.model_instance = params[:id] ? model_class.find(params[:id]) : model_class.new(params[model_name.to_sym]) unless params[:action] == "index"
+    end
+    
+    def authorize_resource
+      @controller.unauthorized! if @controller.cannot?(params[:action].to_sym, model_instance || model_class)
+    end
+    
+    private
+    
+    def model_name
+      params[:controller].split('/').last.singularize
+    end
+    
+    def model_class
+      model_name.camelcase.constantize
+    end
+    
+    def model_instance
+      @controller.instance_variable_get("@#{model_name}")
+    end
+    
+    def model_instance=(instance)
+      @controller.instance_variable_set("@#{model_name}", instance)
+    end
+  end
+end

spec/cancan/ability_spec.rb

@@ -99,4 +99,28 @@ describe CanCan::Ability do
     @ability.can?(:update, []).should be_true
     @ability.can?(:update, 123).should be_false
   end
+  
+  it "should support custom objects in the can definition" do
+    @ability.can :read, :stats
+    @ability.can?(:read, :stats).should be_true
+    @ability.can?(:update, :stats).should be_false
+    @ability.can?(:read, :nonstats).should be_false
+  end
+  
+  it "should support 'cannot' method to define what user cannot do" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 123).should be_false
+  end
+  
+  it "should support block on 'cannot' method" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer do |int|
+      int > 5
+    end
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 3).should be_true
+    @ability.can?(:read, 123).should be_false
+  end
 end

spec/cancan/controller_additions_spec.rb

@@ -1,16 +1,10 @@
 require File.dirname(__FILE__) + '/../spec_helper'
 
-class Ability
-  include CanCan::Ability
-  
-  def initialize(user)
-  end
-end
-
 describe CanCan::ControllerAdditions do
   before(:each) do
     @controller_class = Class.new
     @controller = @controller_class.new
+    stub(@controller).params { {} }
     mock(@controller_class).helper_method(:can?, :cannot?)
     @controller_class.send(:include, CanCan::ControllerAdditions)
   end
@@ -33,60 +27,19 @@ describe CanCan::ControllerAdditions do
     @controller.cannot?(:foo, :bar).should be_true
   end
   
-  it "should load the resource if params[:id] is specified" do
+  it "should load resource" do
-    stub(@controller).params { {:controller => "abilities", :action => "show", :id => 123} }
+    mock.instance_of(CanCan::ResourceAuthorization).load_resource
-    stub(Ability).find(123) { :some_resource }
     @controller.load_resource
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
   
-  it "should build a new resource with hash if params[:id] is not specified" do
+  it "should authorize resource" do
-    stub(@controller).params { {:controller => "abilities", :action => "create", :ability => {:foo => "bar"}} }
+    mock.instance_of(CanCan::ResourceAuthorization).authorize_resource
-    stub(Ability).new(:foo => "bar") { :some_resource }
+    @controller.authorize_resource
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
   
-  it "should build a new resource even if attribute hash isn't specified" do
+  it "should load and authorize resource in one call through controller" do
-    stub(@controller).params { {:controller => "abilities", :action => "new"} }
-    stub(Ability).new(nil) { :some_resource }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should == :some_resource
-  end
-  
-  it "should not build a resource when on index action" do
-    stub(@controller).params { {:controller => "abilities", :action => "index"} }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should be_nil
-  end
-  
-  it "should perform authorization using controller action and loaded model" do
-    @controller.instance_variable_set(:@ability, :some_resource)
-    stub(@controller).params { {:controller => "abilities", :action => "show"} }
-    stub(@controller).can?(:show, :some_resource) { false }
-    lambda {
-      @controller.authorize_resource
-    }.should raise_error(CanCan::AccessDenied)
-  end
-  
-  it "should perform authorization using controller action and non loaded model" do
-    stub(@controller).params { {:controller => "abilities", :action => "show"} }
-    stub(@controller).can?(:show, Ability) { false }
-    lambda {
-      @controller.authorize_resource
-    }.should raise_error(CanCan::AccessDenied)
-  end
-  
-  it "should load and authorize resource in one call" do
     mock(@controller).load_resource
-    stub(@controller).authorize_resource
+    mock(@controller).authorize_resource
     @controller.load_and_authorize_resource
   end
-  
-  it "should properly load resource for namespaced controller" do
-    stub(@controller).params { {:controller => "admin/abilities", :action => "show", :id => 123} }
-    stub(Ability).find(123) { :some_resource }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should == :some_resource
-  end
 end

spec/cancan/resource_authorization_spec.rb

@@ -0,0 +1,59 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe CanCan::ResourceAuthorization do
+  before(:each) do
+    @controller = Object.new # simple stub for now
+    stub(@controller).unauthorized! { raise CanCan::AccessDenied }
+  end
+  
+  it "should load the resource into an instance variable if params[:id] is specified" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should properly load resource for namespaced controller" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should build a new resource with hash if params[:id] is not specified" do
+    stub(Ability).new(:foo => "bar") { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should build a new resource even if attribute hash isn't specified" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should not build a resource when on index action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should perform authorization using controller action and loaded model" do
+    @controller.instance_variable_set(:@ability, :some_resource)
+    stub(@controller).cannot?(:show, :some_resource) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  
+  it "should perform authorization using controller action and non loaded model" do
+    stub(@controller).cannot?(:show, Ability) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+end

spec/spec_helper.rb

@@ -9,3 +9,10 @@ require File.dirname(__FILE__) + '/../lib/cancan.rb'
 Spec::Runner.configure do |config|
   config.mock_with :rr
 end
+
+class Ability
+  include CanCan::Ability
+  
+  def initialize(user)
+  end
+end