releasing gem v1.0.0 (backwards incompatible, see changelog)

CHANGELOG.rdoc

@@ -1,3 +1,27 @@
+1.0.0 (Dec 13, 2009)
+
+* Don't set resource instance variable if it has been set already - see issue #13
+
+* Allowing :nested option to accept an array for deep nesting
+
+* Adding :nested option to load resource method - see issue #10
+
+* Pass :only and :except options to before filters for load/authorize resource methods.
+
+* Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
+
+* BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
+
+
+0.2.1 (Nov 26, 2009)
+
+* many internal refactorings - see issues #11 and #12
+
+* adding "cannot" method to define which abilities cannot be done - see issue #7
+
+* support custom objects (usually symbols) in can definition - see issue #8
+
+
 0.2.0 (Nov 17, 2009)
 
 * fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3

README.rdoc

@@ -4,12 +4,13 @@ This is a simple authorization solution for Ruby on Rails to restrict what a giv
 
 This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
 
+See the RDocs[http://rdoc.info/projects/ryanb/cancan] and Wiki[http://wiki.github.com/ryanb/cancan] for additional documentation.
 
 == Installation
 
 You can set it up as a gem in your environment.rb file.
   
-  config.gem "cancan", :source => "http://gemcutter.org"
+  config.gem "cancan"
   
 And then install the gem.
 
@@ -20,7 +21,7 @@ Alternatively you can install it as a Rails plugin.
   script/plugin install git://github.com/ryanb/cancan.git
 
 
-== Setup
+== Getting Started
 
 First, define a class called Ability in "models/ability.rb".
 
@@ -51,10 +52,10 @@ You can also use these methods in a controller along with the "unauthorized!" me
     unauthorized! if cannot? :read, @article
   end
 
-Setting this for every action can be tedious, therefore a before filter is also provided to automatically authorize all actions in a RESTful style resource controller.
+Setting this for every action can be tedious, therefore the load_and_authorize_resource method is also provided to automatically authorize all actions in a RESTful style resource controller. It will set up a before filter which loads the resource into the instance variable and authorizes it.
 
   class ArticlesController < ApplicationController
-    before_filter :load_and_authorize_resource
+    load_and_authorize_resource
     
     def show
       # @article is already loaded
@@ -111,16 +112,10 @@ You can also pass :manage as the action which will match any action. In this cas
     action != :destroy
   end
   
-Finally, you can use the "alias_action" method to alias one or more actions into one.
+Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
 
-  alias_action :update, :destroy, :to => :modify
+  can :read, :all
-  can :modify, Comment
+  cannot :read, Product
-
-The following aliases are added by default for conveniently mapping common controller actions.
-
-  alias_action :index, :show, :to => :read
-  alias_action :new, :to => :create
-  alias_action :edit, :to => :update
 
 
 == Checking Abilities
@@ -140,22 +135,44 @@ The "cannot?" method is for convenience and performs the opposite check of "can?
   cannot? :destroy, @project
 
 
-== Custom Actions
+== Aliasing Actions
 
-You can have fine grained control over abilities by coming up with new actions. For example, if only pro users are allowed to upload a picture for their product, you could add the following restrictions.
+You can use the "alias_action" method to alias one or more actions into one.
 
-  # ability.rb
+  alias_action :update, :destroy, :to => :modify
-  can :upload_picture, Project if user.pro?
+  can :modify, Comment
+  can? :update, Comment # => true
 
-  # projects/_form.html.erb
+The following aliases are added by default for conveniently mapping common controller actions.
-  <%= f.file_field :picture if can? :upload_picture, @project %>
 
-  # projects_controller.rb
+  alias_action :index, :show, :to => :read
-  def update
+  alias_action :new, :to => :create
-    unauthorized! if params[:project][:upload_picture] && cannot?(:upload_picture, @project)
+  alias_action :edit, :to => :update
-    # ...
+
+
+== Authorizing Controller Actions
+
+As mentioned in the Getting Started section, you can use the +load_and_authorize_resource+ method in your controller to load the resource into an instance variable and authorize it. If you have a nested resource you can specify that as well.
+
+  load_and_authorize_resource :nested => :author
+
+You can also pass an array to the :+nested+ attribute for deep nesting.
+
+If you want to customize the loading behavior on certain actions, you can do so in a before filter.
+
+  class BooksController < ApplicationController
+    before_filter :find_book_by_permalink, :only => :show
+    load_and_authorize_resource
+  
+    private
+  
+    def find_book_by_permalink
+      @book = Book.find_by_permalink!(params[:id)
+    end
   end
 
+Here the @book instance variable is already set so it will not be loaded again for that action. This works for nested resources as well.
+
 
 == Assumptions & Configuring
 
@@ -173,48 +190,16 @@ You can override these by overriding the "current_ability" method in your Applic
 That's it!
 
 
-== Permissions in Database
-
-Perhaps a non-coder needs the ability to modify the user abilities, or you want to change them without having to re-deploy the application. In that case it may be best to store the permission logic in a separate model, let's call it Permission. It is easy to use the database records when defining abilities.
-
-For example, let's assume that each user has_many :permissions, and each permission has "action", "object_type" and "object_id" columns. The last of which is optional.
-
-  class Ability
-    include CanCan::Ability
-  
-    def initialize(user)
-      can :manage, :all do |action, object_class, object|
-        user.permissions.find_all_by_action(action).any? do |permission|
-          permission.object_type == object_class.to_s &&
-            (object.nil? || permission.object_id.nil? || permission.object_id == object.id)
-        end
-      end
-    end
-  end
-
-An alternatie approach is to define a separate "can" ability for each permission.
-
-  def initialize(user)
-		user.permissions.each do |permission|
-		  can permission.action, permission.object_type.constantize do |object|
-		    object.nil? || permission.object_id.nil? || permission.object_id == object.id
-		  end
-		end
-	end
-
-The actual details will depend largely on your application requirements, but hopefully you can see how it's possible to define permissions in the database and use them with CanCan.
-
-
 == Testing Abilities
 
 It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
 
-def test "user can only destroy projects which he owns"
+  def test "user can only destroy projects which he owns"
-  user = User.new
+    user = User.new
-  ability = Ability.new(user)
+    ability = Ability.new(user)
-  assert ability.can?(:destroy, Project.new(:user => user))
+    assert ability.can?(:destroy, Project.new(:user => user))
-  assert ability.cannot?(:destroy, Project.new)
+    assert ability.cannot?(:destroy, Project.new)
-end
+  end
 
 
 == Special Thanks

cancan.gemspec

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
   s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
   s.homepage = "http://github.com/ryanb/cancan"
   
-  s.version = "0.2.0"
+  s.version = "1.0.0"
-  s.date = "2009-11-17"
+  s.date = "2009-12-13"
   
   s.authors = ["Ryan Bates"]
   s.email = "ryan@railscasts.com"

lib/cancan.rb

@@ -1,6 +1,10 @@
 module CanCan
+  # This error is raised when a user isn't allowed to access a given
+  # controller action. See ControllerAdditions#unauthorized! for details.
   class AccessDenied < StandardError; end
 end
 
 require File.dirname(__FILE__) + '/cancan/ability'
+require File.dirname(__FILE__) + '/cancan/controller_resource'
+require File.dirname(__FILE__) + '/cancan/resource_authorization'
 require File.dirname(__FILE__) + '/cancan/controller_additions'

lib/cancan/ability.rb

@@ -1,49 +1,168 @@
 module CanCan
+  
+  # This module is designed to be included into an Ability class. This will
+  # provide the "can" methods for defining and checking abilities.
+  # 
+  #   class Ability
+  #     include CanCan::Ability
+  #
+  #     def initialize(user)
+  #       if user.admin?
+  #         can :manage, :all
+  #       else
+  #         can :read, :all
+  #       end
+  #     end
+  #   end
+  # 
   module Ability
     attr_accessor :user
 
-    def can?(original_action, target) # TODO this could use some refactoring
+    # Use to check the user's permission for a given action and object.
-      (@can_history || []).reverse.each do |can_action, can_target, can_block|
+    # 
-        can_actions = [can_action].flatten
+    #   can? :destroy, @project
-        can_targets = [can_target].flatten
+    # 
-        possible_actions_for(original_action).each do |action|
+    # You can also pass the class instead of an instance (if you don't have one handy).
-          if (can_actions.include?(:manage) || can_actions.include?(action)) && (can_targets.include?(:all) || can_targets.include?(target) || can_targets.any? { |c| target.kind_of?(c) })
+    # 
-            if can_block.nil?
+    #   can? :create, Project
-              return true
+    # 
-            else
+    # Not only can you use the can? method in the controller and view (see ControllerAdditions), 
-              block_args = []
+    # but you can also call it directly on an ability instance.
-              block_args << action if can_actions.include?(:manage)
+    # 
-              block_args << (target.class == Class ? target : target.class) if can_targets.include?(:all)
+    #   ability.can? :destroy, @project
-              block_args << (target.class == Class ? nil : target)
+    # 
-              return can_block.call(*block_args)
+    # This makes testing a user's abilities very easy.
-            end
+    # 
-          end
+    #   def test "user can only destroy projects which he owns"
+    #     user = User.new
+    #     ability = Ability.new(user)
+    #     assert ability.can?(:destroy, Project.new(:user => user))
+    #     assert ability.cannot?(:destroy, Project.new)
+    #   end
+    # 
+    def can?(action, noun)
+      (@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
+        defined_actions = expand_actions(defined_action)
+        defined_nouns = [defined_noun].flatten
+        if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
+          result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+          return base_behavior ? result : !result
         end
       end
       false
     end
     
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    # 
+    #   cannot? :destroy, @project
+    # 
     def cannot?(*args)
       !can?(*args)
     end
     
-    def possible_actions_for(initial_action)
+    # Defines which abilities are allowed using two arguments. The first one is the action
-      actions = [initial_action]
+    # you're setting the permission for, the second one is the class of object you're setting it on.
-      (@aliased_actions || default_alias_actions).each do |target, aliases|
+    # 
-        actions += possible_actions_for(target) if aliases.include? initial_action
+    #   can :update, Article
-      end
+    # 
-      actions
+    # You can pass an array for either of these parameters to match any one.
+    #
+    #   can [:update, :destroy], [Article, Comment]
+    #
+    # In this case the user has the ability to update or destroy both articles and comments.
+    #
+    # You can pass a block to provide logic based on the article's attributes.
+    #
+    #   can :update, Article do |article|
+    #     article && article.user == user
+    #   end
+    # 
+    # If the block returns true then the user has that :update ability for that article, otherwise he
+    # will be denied access. It's possible for the passed in model to be nil if one isn't specified,
+    # so be sure to take that into consideration.
+    # 
+    # You can pass :all to reference every type of object. In this case the object type will be passed
+    # into the block as well (just in case object is nil).
+    # 
+    #   can :read, :all do |object_class, object|
+    #     object_class != Order
+    #   end
+    # 
+    # Here the user has permission to read all objects except orders.
+    # 
+    # You can also pass :manage as the action which will match any action. In this case the action is 
+    # passed to the block.
+    # 
+    #   can :manage, Comment do |action, comment|
+    #     action != :destroy
+    #   end
+    # 
+    # You can pass custom objects into this "can" method, this is usually done through a symbol
+    # and is useful if a class isn't available to define permissions on.
+    # 
+    #   can :read, :stats
+    #   can? :read, :stats # => true
+    # 
+    def can(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [true, action, noun, block]
     end
     
-    def can(action, target, &block)
+    # Define an ability which cannot be done. Accepts the same arguments as "can".
-      @can_history ||= []
+    # 
-      @can_history << [action, target, block]
+    #   can :read, :all
+    #   cannot :read, Comment
+    # 
+    # A block can be passed just like "can", however if the logic is complex it is recommended
+    # to use the "can" method.
+    # 
+    #   cannot :read, Product do |product|
+    #     product.invisible?
+    #   end
+    # 
+    def cannot(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [false, action, noun, block]
     end
     
+    # Alias one or more actions into another one.
+    # 
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :modify, Comment
+    # 
+    # Then :modify permission will apply to both :update and :destroy requests.
+    # 
+    #   can? :update, Comment # => true
+    #   can? :destroy, Comment # => true
+    # 
+    # This only works in one direction. Passing the aliased action into the "can?" call
+    # will not work because aliases are meant to generate more generic actions.
+    # 
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :update, Comment
+    #   can? :modify, Comment # => false
+    # 
+    # Unless that exact alias is used.
+    # 
+    #   can :modify, Comment
+    #   can? :modify, Comment # => true
+    # 
+    # The following aliases are added by default for conveniently mapping common controller actions.
+    # 
+    #   alias_action :index, :show, :to => :read
+    #   alias_action :new, :to => :create
+    #   alias_action :edit, :to => :update
+    # 
+    # This way one can use params[:action] in the controller to determine the permission.
     def alias_action(*args)
-      @aliased_actions ||= default_alias_actions
       target = args.pop[:to]
-      @aliased_actions[target] = args
+      aliased_actions[target] = args
+    end
+    
+    private
+    
+    def aliased_actions
+      @aliased_actions ||= default_alias_actions
     end
     
     def default_alias_actions
@@ -53,5 +172,35 @@ module CanCan
         :update => [:edit],
       }
     end
+    
+    def expand_actions(actions)
+      [actions].flatten.map do |action|
+        if aliased_actions[action]
+          [action, *aliased_actions[action]]
+        else
+          action
+        end
+      end.flatten
+    end
+    
+    def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+      if defined_block.nil?
+        true
+      else
+        block_args = []
+        block_args << action if defined_actions.include?(:manage)
+        block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
+        block_args << (noun.class == Class ? nil : noun)
+        return defined_block.call(*block_args)
+      end
+    end
+    
+    def includes_action?(actions, action)
+      actions.include?(:manage) || actions.include?(action)
+    end
+    
+    def includes_noun?(nouns, noun)
+      nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
+    end
   end
 end

lib/cancan/controller_additions.rb

@@ -1,45 +1,177 @@
 module CanCan
+  
+  # This module is automatically included into all controllers.
+  # It also makes the "can?" and "cannot?" methods available to all views.
   module ControllerAdditions
+    module ClassMethods
+      # Sets up a before filter which loads and authorizes the current resource. This performs both
+      # load_resource and authorize_resource and accepts the same arguments. See those methods for details.
+      # 
+      #   class BooksController < ApplicationController
+      #     load_and_authorize_resource
+      #   end
+      # 
+      def load_and_authorize_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_and_authorize_resource }
+      end
+      
+      # Sets up a before filter which loads the appropriate model resource into an instance variable.
+      # For example, given an ArticlesController it will load the current article into the @article
+      # instance variable. It does this by either calling Article.find(params[:id]) or
+      # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
+      # action.
+      # 
+      # Call this method directly on the controller class.
+      # 
+      #   class BooksController < ApplicationController
+      #     load_resource
+      #   end
+      # 
+      # A resource is not loaded if the instance variable is already set. This makes it easy to override
+      # the behavior through a before_filter on certain actions.
+      # 
+      #   class BooksController < ApplicationController
+      #     before_filter :find_book_by_permalink, :only => :show
+      #     load_resource
+      #
+      #     private
+      #
+      #     def find_book_by_permalink
+      #       @book = Book.find_by_permalink!(params[:id)
+      #     end
+      #   end
+      # 
+      # See load_and_authorize_resource to automatically authorize the resource too.
+      # 
+      # Options:
+      # [:+only+]
+      #   Only applies before filter to given actions.
+      #   
+      # [:+except+]
+      #   Does not apply before filter to given actions.
+      #   
+      # [:+nested+]
+      #   Specify which resource this is nested under.
+      #   
+      #     load_resource :nested => :author
+      #   
+      #   Deep nesting can be defined in an array.
+      #   
+      #     load_resource :nested => [:publisher, :author]
+      #   
+      # [:+collection+]
+      #   Specify which actions are resource collection actions in addition to :+index+. This
+      #   is usually not necessary because it will try to guess depending on if an :+id+
+      #   is present in +params+.
+      #   
+      #     load_resource :collection => [:sort, :list]
+      #   
+      # [:+new+]
+      #   Specify which actions are new resource actions in addition to :+new+ and :+create+.
+      #   Pass an action name into here if you would like to build a new resource instead of
+      #   fetch one.
+      #   
+      #     load_resource :new => :build
+      #   
+      def load_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_resource }
+      end
+      
+      # Sets up a before filter which authorizes the current resource using the instance variable.
+      # For example, if you have an ArticlesController it will check the @article instance variable
+      # and ensure the user can perform the current action on it. Under the hood it is doing
+      # something like the following.
+      # 
+      #   unauthorized! if cannot?(params[:action].to_sym, @article || Article)
+      # 
+      # Call this method directly on the controller class.
+      # 
+      #   class BooksController < ApplicationController
+      #     authorize_resource
+      #   end
+      # 
+      # See load_and_authorize_resource to automatically load the resource too.
+      # 
+      # Options:
+      # [:+only+]
+      #   Only applies before filter to given actions.
+      #   
+      # [:+except+]
+      #   Does not apply before filter to given actions.
+      # 
+      def authorize_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).authorize_resource }
+      end
+    end
+    
     def self.included(base)
+      base.extend ClassMethods
       base.helper_method :can?, :cannot?
     end
     
+    # Raises the CanCan::AccessDenied exception. This is often used in a
+    # controller action to mark a request as unauthorized.
+    # 
+    #   def show
+    #     @article = Article.find(params[:id])
+    #     unauthorized! if cannot? :read, @article
+    #   end
+    # 
+    # You can rescue from the exception in the controller to specify
+    # the user experience.
+    # 
+    #   class ApplicationController < ActionController::Base
+    #     rescue_from CanCan::AccessDenied, :with => :access_denied
+    #   
+    #     protected
+    #   
+    #     def access_denied
+    #       flash[:error] = "Sorry, you are not allowed to access that page."
+    #       redirect_to root_url
+    #     end
+    #   end
+    # 
+    # See the load_and_authorize_resource method to automatically add
+    # the "unauthorized!" behavior to a RESTful controller's actions.
     def unauthorized!
       raise AccessDenied, "You are unable to access this page."
     end
     
+    # Creates and returns the current user's ability. You generally do not invoke
+    # this method directly, instead you can override this method to change its
+    # behavior if the Ability class or current_user method are different.
+    # 
+    #   def current_ability
+    #     UserAbility.new(current_account) # instead of Ability.new(current_user)
+    #   end
+    # 
     def current_ability
       ::Ability.new(current_user)
     end
     
+    # Use in the controller or view to check the user's permission for a given action
+    # and object.
+    # 
+    #   can? :destroy, @project
+    # 
+    # You can also pass the class instead of an instance (if you don't have one handy).
+    # 
+    #   <% if can? :create, Project %>
+    #     <%= link_to "New Project", new_project_path %>
+    #   <% end %>
+    # 
+    # This simply calls "can?" on the current_ability. See Ability#can?.
     def can?(*args)
       (@current_ability ||= current_ability).can?(*args)
     end
     
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    # 
+    #   cannot? :destroy, @project
+    # 
     def cannot?(*args)
       (@current_ability ||= current_ability).cannot?(*args)
     end
-    
-    def load_resource # TODO this could use some refactoring
-      model_name = params[:controller].split('/').last.singularize
-      unless params[:action] == "index"
-        if params[:id]
-          instance_variable_set("@#{model_name}", model_name.camelcase.constantize.find(params[:id]))
-        else
-          instance_variable_set("@#{model_name}", model_name.camelcase.constantize.new(params[model_name.to_sym]))
-        end
-      end
-    end
-    
-    def authorize_resource # TODO this could use some refactoring
-      model_name = params[:controller].split('/').last.singularize
-      unauthorized! unless can?(params[:action].to_sym, instance_variable_get("@#{model_name}") || model_name.camelcase.constantize)
-    end
-    
-    def load_and_authorize_resource
-      load_resource
-      authorize_resource
-    end
   end
 end
 

lib/cancan/controller_resource.rb

@@ -0,0 +1,39 @@
+module CanCan
+  class ControllerResource # :nodoc:
+    def initialize(controller, name, parent = nil)
+      @controller = controller
+      @name = name
+      @parent = parent
+    end
+    
+    def model_class
+      @name.to_s.camelize.constantize
+    end
+    
+    def find(id)
+      self.model_instance ||= base.find(id)
+    end
+    
+    def build(attributes)
+      if base.kind_of? Class
+        self.model_instance ||= base.new(attributes)
+      else
+        self.model_instance ||= base.build(attributes)
+      end
+    end
+    
+    def model_instance
+      @controller.instance_variable_get("@#{@name}")
+    end
+    
+    def model_instance=(instance)
+      @controller.instance_variable_set("@#{@name}", instance)
+    end
+    
+    private
+    
+    def base
+      @parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
+    end
+  end
+end

lib/cancan/resource_authorization.rb

@@ -0,0 +1,57 @@
+module CanCan
+  class ResourceAuthorization # :nodoc:
+    attr_reader :params
+    
+    def initialize(controller, params, options = {})
+      @controller = controller
+      @params = params
+      @options = options
+    end
+    
+    def load_and_authorize_resource
+      load_resource
+      authorize_resource
+    end
+    
+    def load_resource
+      unless collection_actions.include? params[:action].to_sym
+        if new_actions.include? params[:action].to_sym
+          resource.build(params[model_name.to_sym])
+        elsif params[:id]
+          resource.find(params[:id])
+        end
+      end
+    end
+    
+    def authorize_resource
+      @controller.unauthorized! if @controller.cannot?(params[:action].to_sym, resource.model_instance || resource.model_class)
+    end
+    
+    private
+    
+    def resource
+      @resource ||= ControllerResource.new(@controller, model_name, parent_resource)
+    end
+    
+    def parent_resource
+      parent = nil
+      [@options[:nested]].flatten.compact.each do |name|
+        parent = ControllerResource.new(@controller, name, parent)
+        parent.find(@params["#{name}_id".to_sym])
+      end
+      parent
+    end
+    
+    def model_name
+      params[:controller].split('/').last.singularize
+    end
+    
+    def collection_actions
+      [:index] + [@options[:collection]].flatten
+    end
+    
+    def new_actions
+      [:new, :create] + [@options[:new]].flatten
+    end
+  end
+end

spec/cancan/ability_spec.rb

@@ -99,4 +99,28 @@ describe CanCan::Ability do
     @ability.can?(:update, []).should be_true
     @ability.can?(:update, 123).should be_false
   end
+  
+  it "should support custom objects in the can definition" do
+    @ability.can :read, :stats
+    @ability.can?(:read, :stats).should be_true
+    @ability.can?(:update, :stats).should be_false
+    @ability.can?(:read, :nonstats).should be_false
+  end
+  
+  it "should support 'cannot' method to define what user cannot do" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 123).should be_false
+  end
+  
+  it "should support block on 'cannot' method" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer do |int|
+      int > 5
+    end
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 3).should be_true
+    @ability.can?(:read, 123).should be_false
+  end
 end

spec/cancan/controller_additions_spec.rb

@@ -1,16 +1,10 @@
 require File.dirname(__FILE__) + '/../spec_helper'
 
-class Ability
-  include CanCan::Ability
-  
-  def initialize(user)
-  end
-end
-
 describe CanCan::ControllerAdditions do
   before(:each) do
     @controller_class = Class.new
     @controller = @controller_class.new
+    stub(@controller).params { {} }
     mock(@controller_class).helper_method(:can?, :cannot?)
     @controller_class.send(:include, CanCan::ControllerAdditions)
   end
@@ -33,60 +27,21 @@ describe CanCan::ControllerAdditions do
     @controller.cannot?(:foo, :bar).should be_true
   end
   
-  it "should load the resource if params[:id] is specified" do
+  it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(@controller).params { {:controller => "abilities", :action => "show", :id => 123} }
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
-    stub(Ability).find(123) { :some_resource }
+    mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
-    @controller.load_resource
+    @controller_class.load_and_authorize_resource :foo => :bar
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
   
-  it "should build a new resource with hash if params[:id] is not specified" do
+  it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(@controller).params { {:controller => "abilities", :action => "create", :ability => {:foo => "bar"}} }
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
-    stub(Ability).new(:foo => "bar") { :some_resource }
+    mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
-    @controller.load_resource
+    @controller_class.authorize_resource :foo => :bar, :except => :show
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
   
-  it "should build a new resource even if attribute hash isn't specified" do
+  it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(@controller).params { {:controller => "abilities", :action => "new"} }
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
-    stub(Ability).new(nil) { :some_resource }
+    mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
-    @controller.load_resource
+    @controller_class.load_resource :foo => :bar, :only => [:show, :index]
-    @controller.instance_variable_get(:@ability).should == :some_resource
-  end
-  
-  it "should not build a resource when on index action" do
-    stub(@controller).params { {:controller => "abilities", :action => "index"} }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should be_nil
-  end
-  
-  it "should perform authorization using controller action and loaded model" do
-    @controller.instance_variable_set(:@ability, :some_resource)
-    stub(@controller).params { {:controller => "abilities", :action => "show"} }
-    stub(@controller).can?(:show, :some_resource) { false }
-    lambda {
-      @controller.authorize_resource
-    }.should raise_error(CanCan::AccessDenied)
-  end
-  
-  it "should perform authorization using controller action and non loaded model" do
-    stub(@controller).params { {:controller => "abilities", :action => "show"} }
-    stub(@controller).can?(:show, Ability) { false }
-    lambda {
-      @controller.authorize_resource
-    }.should raise_error(CanCan::AccessDenied)
-  end
-  
-  it "should load and authorize resource in one call" do
-    mock(@controller).load_resource
-    stub(@controller).authorize_resource
-    @controller.load_and_authorize_resource
-  end
-  
-  it "should properly load resource for namespaced controller" do
-    stub(@controller).params { {:controller => "admin/abilities", :action => "show", :id => 123} }
-    stub(Ability).find(123) { :some_resource }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
 end

spec/cancan/controller_resource_spec.rb

@@ -0,0 +1,43 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe CanCan::ControllerResource do
+  before(:each) do
+    @controller = Object.new
+  end
+  
+  it "should determine model class by constantizing give name" do
+    CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
+  end
+  
+  it "should fetch model through model class and assign it to the instance" do
+    stub(Ability).find(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should fetch model through parent and assign it to the instance" do
+    parent = Object.new
+    stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should build model through model class and assign it to the instance" do
+    stub(Ability).new(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability).build(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should build model through parent and assign it to the instance" do
+    parent = Object.new
+    stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should not load resource if instance variable is already provided" do
+    @controller.instance_variable_set(:@ability, :some_ability)
+    CanCan::ControllerResource.new(@controller, :ability).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+end

spec/cancan/resource_authorization_spec.rb

@@ -0,0 +1,99 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe CanCan::ResourceAuthorization do
+  before(:each) do
+    @controller = Object.new # simple stub for now
+    stub(@controller).unauthorized! { raise CanCan::AccessDenied }
+  end
+  
+  it "should load the resource into an instance variable if params[:id] is specified" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should properly load resource for namespaced controller" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should build a new resource with hash if params[:id] is not specified" do
+    stub(Ability).new(:foo => "bar") { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should build a new resource even if attribute hash isn't specified" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should not build a resource when on index action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should perform authorization using controller action and loaded model" do
+    @controller.instance_variable_set(:@ability, :some_resource)
+    stub(@controller).cannot?(:show, :some_resource) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  
+  it "should perform authorization using controller action and non loaded model" do
+    stub(@controller).cannot?(:show, Ability) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  
+  it "should call load_resource and authorize_resource for load_and_authorize_resource" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    mock(authorization).load_resource
+    mock(authorization).authorize_resource
+    authorization.load_and_authorize_resource
+  end
+  
+  it "should not build a resource when on custom collection action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should build a resource when on custom new action even when params[:id] exists" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should not try to load resource for other action if params[:id] is undefined" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should load nested resource and fetch other resource through the association" do
+    stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should load nested resource and build resource through a deep association" do
+    stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+end

spec/spec_helper.rb

@@ -9,3 +9,14 @@ require File.dirname(__FILE__) + '/../lib/cancan.rb'
 Spec::Runner.configure do |config|
   config.mock_with :rr
 end
+
+class Ability
+  include CanCan::Ability
+  
+  def initialize(user)
+  end
+end
+
+# this class helps out in testing nesting
+class Person
+end