releasing v1.0.2

CHANGELOG.rdoc

@@ -1,3 +1,43 @@
+1.0.2 (Dec 30, 2009)
+
+* Adding clear_aliased_actions to Ability which removes previously defined actions including defaults - see issue #20
+
+* Append aliased actions (don't overwrite them) - see issue #20
+
+* Adding custom message argument to unauthorized! method (thanks tjwallace) - see issue #18
+
+
+1.0.1 (Dec 14, 2009)
+
+* Adding :class option to load_resource so one can customize which class to use for the model - see issue #17
+
+* Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14
+
+
+1.0.0 (Dec 13, 2009)
+
+* Don't set resource instance variable if it has been set already - see issue #13
+
+* Allowing :nested option to accept an array for deep nesting
+
+* Adding :nested option to load resource method - see issue #10
+
+* Pass :only and :except options to before filters for load/authorize resource methods.
+
+* Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
+
+* BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
+
+
+0.2.1 (Nov 26, 2009)
+
+* many internal refactorings - see issues #11 and #12
+
+* adding "cannot" method to define which abilities cannot be done - see issue #7
+
+* support custom objects (usually symbols) in can definition - see issue #8
+
+
 0.2.0 (Nov 17, 2009)
 
 * fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3

README.rdoc

@@ -1,15 +1,16 @@
 = CanCan
 
+RDocs[http://rdoc.info/projects/ryanb/cancan] | Wiki[http://wiki.github.com/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan] | Metrics[http://getcaliper.com/caliper/project?repo=git%3A%2F%2Fgithub.com%2Fryanb%2Fcancan.git] | Tests[http://runcoderun.com/ryanb/cancan]
+
 This is a simple authorization solution for Ruby on Rails to restrict what a given user is allowed to access in the application. This is completely decoupled from any role based implementation allowing you to define user roles the way you want. All permissions are stored in a single location for convenience.
 
 This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
 
-
 == Installation
 
 You can set it up as a gem in your environment.rb file.
   
-  config.gem "cancan", :source => "http://gemcutter.org"
+  config.gem "cancan"
   
 And then install the gem.
 
@@ -20,7 +21,7 @@ Alternatively you can install it as a Rails plugin.
   script/plugin install git://github.com/ryanb/cancan.git
 
 
-== Setup
+== Getting Started
 
 First, define a class called Ability in "models/ability.rb".
 
@@ -51,10 +52,10 @@ You can also use these methods in a controller along with the "unauthorized!" me
     unauthorized! if cannot? :read, @article
   end
 
-Setting this for every action can be tedious, therefore a before filter is also provided to automatically authorize all actions in a RESTful style resource controller.
+Setting this for every action can be tedious, therefore the load_and_authorize_resource method is also provided to automatically authorize all actions in a RESTful style resource controller. It will set up a before filter which loads the resource into the instance variable and authorizes it.
 
   class ArticlesController < ApplicationController
-    before_filter :load_and_authorize_resource
+    load_and_authorize_resource
     
     def show
       # @article is already loaded
@@ -64,12 +65,8 @@ Setting this for every action can be tedious, therefore a before filter is also
 If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.
 
   class ApplicationController < ActionController::Base
-    rescue_from CanCan::AccessDenied, :with => :access_denied
+    rescue_from CanCan::AccessDenied do |exception|
-  
+      flash[:error] = exception.message
-    protected
-  
-    def access_denied
-      flash[:error] = "Sorry, you are not allowed to access that page."
       redirect_to root_url
     end
   end
@@ -111,16 +108,10 @@ You can also pass :manage as the action which will match any action. In this cas
     action != :destroy
   end
   
-Finally, you can use the "alias_action" method to alias one or more actions into one.
+Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
 
-  alias_action :update, :destroy, :to => :modify
+  can :read, :all
-  can :modify, Comment
+  cannot :read, Product
-
-The following aliases are added by default for conveniently mapping common controller actions.
-
-  alias_action :index, :show, :to => :read
-  alias_action :new, :to => :create
-  alias_action :edit, :to => :update
 
 
 == Checking Abilities
@@ -140,21 +131,43 @@ The "cannot?" method is for convenience and performs the opposite check of "can?
   cannot? :destroy, @project
 
 
-== Custom Actions
+== Aliasing Actions
 
-You can have fine grained control over abilities by coming up with new actions. For example, if only pro users are allowed to upload a picture for their product, you could add the following restrictions.
+You can use the "alias_action" method to alias one or more actions into one.
 
-  # ability.rb
+  alias_action :update, :destroy, :to => :modify
-  can :upload_picture, Project if user.pro?
+  can :modify, Comment
+  can? :update, Comment # => true
 
-  # projects/_form.html.erb
+The following aliases are added by default for conveniently mapping common controller actions.
-  <%= f.file_field :picture if can? :upload_picture, @project %>
 
-  # projects_controller.rb
+  alias_action :index, :show, :to => :read
-  def update
+  alias_action :new, :to => :create
-    unauthorized! if params[:project][:upload_picture] && cannot?(:upload_picture, @project)
+  alias_action :edit, :to => :update
-    # ...
+
+
+== Authorizing Controller Actions
+
+As mentioned in the Getting Started section, you can use the +load_and_authorize_resource+ method in your controller to load the resource into an instance variable and authorize it. If you have a nested resource you can specify that as well.
+
+  load_and_authorize_resource :nested => :author
+
+You can also pass an array to the :+nested+ attribute for deep nesting.
+
+If you want to customize the loading behavior on certain actions, you can do so in a before filter.
+
+  class BooksController < ApplicationController
+    before_filter :find_book_by_permalink, :only => :show
+    load_and_authorize_resource
+  
+    private
+  
+    def find_book_by_permalink
+      @book = Book.find_by_permalink!(params[:id)
     end
+  end
+
+Here the @book instance variable is already set so it will not be loaded again for that action. This works for nested resources as well.
 
 
 == Assumptions & Configuring
@@ -173,48 +186,16 @@ You can override these by overriding the "current_ability" method in your Applic
 That's it!
 
 
-== Permissions in Database
-
-Perhaps a non-coder needs the ability to modify the user abilities, or you want to change them without having to re-deploy the application. In that case it may be best to store the permission logic in a separate model, let's call it Permission. It is easy to use the database records when defining abilities.
-
-For example, let's assume that each user has_many :permissions, and each permission has "action", "object_type" and "object_id" columns. The last of which is optional.
-
-  class Ability
-    include CanCan::Ability
-  
-    def initialize(user)
-      can :manage, :all do |action, object_class, object|
-        user.permissions.find_all_by_action(action).any? do |permission|
-          permission.object_type == object_class.to_s &&
-            (object.nil? || permission.object_id.nil? || permission.object_id == object.id)
-        end
-      end
-    end
-  end
-
-An alternatie approach is to define a separate "can" ability for each permission.
-
-  def initialize(user)
-		user.permissions.each do |permission|
-		  can permission.action, permission.object_type.constantize do |object|
-		    object.nil? || permission.object_id.nil? || permission.object_id == object.id
-		  end
-		end
-	end
-
-The actual details will depend largely on your application requirements, but hopefully you can see how it's possible to define permissions in the database and use them with CanCan.
-
-
 == Testing Abilities
 
 It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
 
-def test "user can only destroy projects which he owns"
+  def test "user can only destroy projects which he owns"
     user = User.new
     ability = Ability.new(user)
     assert ability.can?(:destroy, Project.new(:user => user))
     assert ability.cannot?(:destroy, Project.new)
-end
+  end
 
 
 == Special Thanks

Rakefile

@@ -9,3 +9,5 @@ Spec::Rake::SpecTask.new do |t|
   t.spec_files = spec_files
   t.spec_opts = ["-c"]
 end
+
+task :default => :spec

cancan.gemspec

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
   s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
   s.homepage = "http://github.com/ryanb/cancan"
   
-  s.version = "0.2.0"
+  s.version = "1.0.2"
-  s.date = "2009-11-17"
+  s.date = "2009-12-30"
   
   s.authors = ["Ryan Bates"]
   s.email = "ryan@railscasts.com"

lib/cancan.rb

@@ -1,6 +1,10 @@
 module CanCan
+  # This error is raised when a user isn't allowed to access a given
+  # controller action. See ControllerAdditions#unauthorized! for details.
   class AccessDenied < StandardError; end
 end
 
 require File.dirname(__FILE__) + '/cancan/ability'
+require File.dirname(__FILE__) + '/cancan/controller_resource'
+require File.dirname(__FILE__) + '/cancan/resource_authorization'
 require File.dirname(__FILE__) + '/cancan/controller_additions'

lib/cancan/ability.rb

@@ -1,51 +1,177 @@
 module CanCan
+  
+  # This module is designed to be included into an Ability class. This will
+  # provide the "can" methods for defining and checking abilities.
+  # 
+  #   class Ability
+  #     include CanCan::Ability
+  #
+  #     def initialize(user)
+  #       if user.admin?
+  #         can :manage, :all
+  #       else
+  #         can :read, :all
+  #       end
+  #     end
+  #   end
+  # 
   module Ability
     attr_accessor :user
 
-    def can?(original_action, target) # TODO this could use some refactoring
+    # Use to check the user's permission for a given action and object.
-      (@can_history || []).reverse.each do |can_action, can_target, can_block|
+    # 
-        can_actions = [can_action].flatten
+    #   can? :destroy, @project
-        can_targets = [can_target].flatten
+    # 
-        possible_actions_for(original_action).each do |action|
+    # You can also pass the class instead of an instance (if you don't have one handy).
-          if (can_actions.include?(:manage) || can_actions.include?(action)) && (can_targets.include?(:all) || can_targets.include?(target) || can_targets.any? { |c| target.kind_of?(c) })
+    # 
-            if can_block.nil?
+    #   can? :create, Project
-              return true
+    # 
-            else
+    # Not only can you use the can? method in the controller and view (see ControllerAdditions), 
-              block_args = []
+    # but you can also call it directly on an ability instance.
-              block_args << action if can_actions.include?(:manage)
+    # 
-              block_args << (target.class == Class ? target : target.class) if can_targets.include?(:all)
+    #   ability.can? :destroy, @project
-              block_args << (target.class == Class ? nil : target)
+    # 
-              return can_block.call(*block_args)
+    # This makes testing a user's abilities very easy.
-            end
+    # 
-          end
+    #   def test "user can only destroy projects which he owns"
+    #     user = User.new
+    #     ability = Ability.new(user)
+    #     assert ability.can?(:destroy, Project.new(:user => user))
+    #     assert ability.cannot?(:destroy, Project.new)
+    #   end
+    # 
+    def can?(action, noun)
+      (@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
+        defined_actions = expand_actions(defined_action)
+        defined_nouns = [defined_noun].flatten
+        if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
+          result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+          return base_behavior ? result : !result
         end
       end
       false
     end
     
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    # 
+    #   cannot? :destroy, @project
+    # 
     def cannot?(*args)
       !can?(*args)
     end
     
-    def possible_actions_for(initial_action)
+    # Defines which abilities are allowed using two arguments. The first one is the action
-      actions = [initial_action]
+    # you're setting the permission for, the second one is the class of object you're setting it on.
-      (@aliased_actions || default_alias_actions).each do |target, aliases|
+    # 
-        actions += possible_actions_for(target) if aliases.include? initial_action
+    #   can :update, Article
-      end
+    # 
-      actions
+    # You can pass an array for either of these parameters to match any one.
+    #
+    #   can [:update, :destroy], [Article, Comment]
+    #
+    # In this case the user has the ability to update or destroy both articles and comments.
+    #
+    # You can pass a block to provide logic based on the article's attributes.
+    #
+    #   can :update, Article do |article|
+    #     article && article.user == user
+    #   end
+    # 
+    # If the block returns true then the user has that :update ability for that article, otherwise he
+    # will be denied access. It's possible for the passed in model to be nil if one isn't specified,
+    # so be sure to take that into consideration.
+    # 
+    # You can pass :all to reference every type of object. In this case the object type will be passed
+    # into the block as well (just in case object is nil).
+    # 
+    #   can :read, :all do |object_class, object|
+    #     object_class != Order
+    #   end
+    # 
+    # Here the user has permission to read all objects except orders.
+    # 
+    # You can also pass :manage as the action which will match any action. In this case the action is 
+    # passed to the block.
+    # 
+    #   can :manage, Comment do |action, comment|
+    #     action != :destroy
+    #   end
+    # 
+    # You can pass custom objects into this "can" method, this is usually done through a symbol
+    # and is useful if a class isn't available to define permissions on.
+    # 
+    #   can :read, :stats
+    #   can? :read, :stats # => true
+    # 
+    def can(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [true, action, noun, block]
     end
     
-    def can(action, target, &block)
+    # Define an ability which cannot be done. Accepts the same arguments as "can".
-      @can_history ||= []
+    # 
-      @can_history << [action, target, block]
+    #   can :read, :all
+    #   cannot :read, Comment
+    # 
+    # A block can be passed just like "can", however if the logic is complex it is recommended
+    # to use the "can" method.
+    # 
+    #   cannot :read, Product do |product|
+    #     product.invisible?
+    #   end
+    # 
+    def cannot(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [false, action, noun, block]
     end
     
+    # Alias one or more actions into another one.
+    # 
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :modify, Comment
+    # 
+    # Then :modify permission will apply to both :update and :destroy requests.
+    # 
+    #   can? :update, Comment # => true
+    #   can? :destroy, Comment # => true
+    # 
+    # This only works in one direction. Passing the aliased action into the "can?" call
+    # will not work because aliases are meant to generate more generic actions.
+    # 
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :update, Comment
+    #   can? :modify, Comment # => false
+    # 
+    # Unless that exact alias is used.
+    # 
+    #   can :modify, Comment
+    #   can? :modify, Comment # => true
+    # 
+    # The following aliases are added by default for conveniently mapping common controller actions.
+    # 
+    #   alias_action :index, :show, :to => :read
+    #   alias_action :new, :to => :create
+    #   alias_action :edit, :to => :update
+    # 
+    # This way one can use params[:action] in the controller to determine the permission.
     def alias_action(*args)
-      @aliased_actions ||= default_alias_actions
       target = args.pop[:to]
-      @aliased_actions[target] = args
+      aliased_actions[target] ||= []
+      aliased_actions[target] += args
     end
     
+    # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
+    def aliased_actions
+      @aliased_actions ||= default_alias_actions
+    end
+    
+    # Removes previously aliased actions including the defaults.
+    def clear_aliased_actions
+      @aliased_actions = {}
+    end
+    
+    private
+    
     def default_alias_actions
       {
         :read => [:index, :show],
@@ -53,5 +179,35 @@ module CanCan
         :update => [:edit],
       }
     end
+    
+    def expand_actions(actions)
+      [actions].flatten.map do |action|
+        if aliased_actions[action]
+          [action, *aliased_actions[action]]
+        else
+          action
+        end
+      end.flatten
+    end
+    
+    def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+      if defined_block.nil?
+        true
+      else
+        block_args = []
+        block_args << action if defined_actions.include?(:manage)
+        block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
+        block_args << (noun.class == Class ? nil : noun)
+        return defined_block.call(*block_args)
+      end
+    end
+    
+    def includes_action?(actions, action)
+      actions.include?(:manage) || actions.include?(action)
+    end
+    
+    def includes_noun?(nouns, noun)
+      nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
+    end
   end
 end

lib/cancan/controller_additions.rb

@@ -1,45 +1,181 @@
 module CanCan
+  
+  # This module is automatically included into all controllers.
+  # It also makes the "can?" and "cannot?" methods available to all views.
   module ControllerAdditions
+    module ClassMethods
+      # Sets up a before filter which loads and authorizes the current resource. This performs both
+      # load_resource and authorize_resource and accepts the same arguments. See those methods for details.
+      # 
+      #   class BooksController < ApplicationController
+      #     load_and_authorize_resource
+      #   end
+      # 
+      def load_and_authorize_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_and_authorize_resource }
+      end
+      
+      # Sets up a before filter which loads the appropriate model resource into an instance variable.
+      # For example, given an ArticlesController it will load the current article into the @article
+      # instance variable. It does this by either calling Article.find(params[:id]) or
+      # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
+      # action.
+      # 
+      # Call this method directly on the controller class.
+      # 
+      #   class BooksController < ApplicationController
+      #     load_resource
+      #   end
+      # 
+      # A resource is not loaded if the instance variable is already set. This makes it easy to override
+      # the behavior through a before_filter on certain actions.
+      # 
+      #   class BooksController < ApplicationController
+      #     before_filter :find_book_by_permalink, :only => :show
+      #     load_resource
+      #
+      #     private
+      #
+      #     def find_book_by_permalink
+      #       @book = Book.find_by_permalink!(params[:id)
+      #     end
+      #   end
+      # 
+      # See load_and_authorize_resource to automatically authorize the resource too.
+      # 
+      # Options:
+      # [:+only+]
+      #   Only applies before filter to given actions.
+      #   
+      # [:+except+]
+      #   Does not apply before filter to given actions.
+      #   
+      # [:+nested+]
+      #   Specify which resource this is nested under.
+      #   
+      #     load_resource :nested => :author
+      #   
+      #   Deep nesting can be defined in an array.
+      #   
+      #     load_resource :nested => [:publisher, :author]
+      #   
+      # [:+class+]
+      #   The class to use for the model.
+      #   
+      # [:+collection+]
+      #   Specify which actions are resource collection actions in addition to :+index+. This
+      #   is usually not necessary because it will try to guess depending on if an :+id+
+      #   is present in +params+.
+      #   
+      #     load_resource :collection => [:sort, :list]
+      #   
+      # [:+new+]
+      #   Specify which actions are new resource actions in addition to :+new+ and :+create+.
+      #   Pass an action name into here if you would like to build a new resource instead of
+      #   fetch one.
+      #   
+      #     load_resource :new => :build
+      # 
+      def load_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_resource }
+      end
+      
+      # Sets up a before filter which authorizes the current resource using the instance variable.
+      # For example, if you have an ArticlesController it will check the @article instance variable
+      # and ensure the user can perform the current action on it. Under the hood it is doing
+      # something like the following.
+      # 
+      #   unauthorized! if cannot?(params[:action].to_sym, @article || Article)
+      # 
+      # Call this method directly on the controller class.
+      # 
+      #   class BooksController < ApplicationController
+      #     authorize_resource
+      #   end
+      # 
+      # See load_and_authorize_resource to automatically load the resource too.
+      # 
+      # Options:
+      # [:+only+]
+      #   Only applies before filter to given actions.
+      #   
+      # [:+except+]
+      #   Does not apply before filter to given actions.
+      # 
+      # [:+class+]
+      #   The class to use for the model.
+      # 
+      def authorize_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).authorize_resource }
+      end
+    end
+    
     def self.included(base)
+      base.extend ClassMethods
       base.helper_method :can?, :cannot?
     end
     
-    def unauthorized!
+    # Raises the CanCan::AccessDenied exception. This is often used in a
-      raise AccessDenied, "You are unable to access this page."
+    # controller action to mark a request as unauthorized.
+    # 
+    #   def show
+    #     @article = Article.find(params[:id])
+    #     unauthorized! if cannot? :read, @article
+    #   end
+    # 
+    # The unauthorized! method accepts an optional argument which sets the
+    # message of the exception.
+    # 
+    # You can rescue from the exception in the controller to define the behavior.
+    # 
+    #   class ApplicationController < ActionController::Base
+    #     rescue_from CanCan::AccessDenied do |exception|
+    #       flash[:error] = exception.message
+    #       redirect_to root_url
+    #     end
+    #   end
+    # 
+    # See the load_and_authorize_resource method to automatically add
+    # the "unauthorized!" behavior to a RESTful controller's actions.
+    def unauthorized!(message = "You are not authorized to access this page.")
+      raise AccessDenied, message
     end
     
+    # Creates and returns the current user's ability. You generally do not invoke
+    # this method directly, instead you can override this method to change its
+    # behavior if the Ability class or current_user method are different.
+    # 
+    #   def current_ability
+    #     UserAbility.new(current_account) # instead of Ability.new(current_user)
+    #   end
+    # 
     def current_ability
       ::Ability.new(current_user)
     end
     
+    # Use in the controller or view to check the user's permission for a given action
+    # and object.
+    # 
+    #   can? :destroy, @project
+    # 
+    # You can also pass the class instead of an instance (if you don't have one handy).
+    # 
+    #   <% if can? :create, Project %>
+    #     <%= link_to "New Project", new_project_path %>
+    #   <% end %>
+    # 
+    # This simply calls "can?" on the current_ability. See Ability#can?.
     def can?(*args)
       (@current_ability ||= current_ability).can?(*args)
     end
     
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    # 
+    #   cannot? :destroy, @project
+    # 
     def cannot?(*args)
       (@current_ability ||= current_ability).cannot?(*args)
     end
-    
-    def load_resource # TODO this could use some refactoring
-      model_name = params[:controller].split('/').last.singularize
-      unless params[:action] == "index"
-        if params[:id]
-          instance_variable_set("@#{model_name}", model_name.camelcase.constantize.find(params[:id]))
-        else
-          instance_variable_set("@#{model_name}", model_name.camelcase.constantize.new(params[model_name.to_sym]))
-        end
-      end
-    end
-    
-    def authorize_resource # TODO this could use some refactoring
-      model_name = params[:controller].split('/').last.singularize
-      unauthorized! unless can?(params[:action].to_sym, instance_variable_get("@#{model_name}") || model_name.camelcase.constantize)
-    end
-    
-    def load_and_authorize_resource
-      load_resource
-      authorize_resource
-    end
   end
 end
 

lib/cancan/controller_resource.rb

@@ -0,0 +1,40 @@
+module CanCan
+  class ControllerResource # :nodoc:
+    def initialize(controller, name, parent = nil, options = {})
+      @controller = controller
+      @name = name
+      @parent = parent
+      @options = options
+    end
+    
+    def model_class
+      @options[:class] || @name.to_s.camelize.constantize
+    end
+    
+    def find(id)
+      self.model_instance ||= base.find(id)
+    end
+    
+    def build(attributes)
+      if base.kind_of? Class
+        self.model_instance ||= base.new(attributes)
+      else
+        self.model_instance ||= base.build(attributes)
+      end
+    end
+    
+    def model_instance
+      @controller.instance_variable_get("@#{@name}")
+    end
+    
+    def model_instance=(instance)
+      @controller.instance_variable_set("@#{@name}", instance)
+    end
+    
+    private
+    
+    def base
+      @parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
+    end
+  end
+end

lib/cancan/resource_authorization.rb

@@ -0,0 +1,62 @@
+module CanCan
+  class ResourceAuthorization # :nodoc:
+    attr_reader :params
+    
+    def initialize(controller, params, options = {})
+      @controller = controller
+      @params = params
+      @options = options
+    end
+    
+    def load_and_authorize_resource
+      load_resource
+      authorize_resource
+    end
+    
+    def load_resource
+      unless collection_actions.include? params[:action].to_sym
+        if new_actions.include? params[:action].to_sym
+          resource.build(params[model_name.to_sym])
+        elsif params[:id]
+          resource.find(params[:id])
+        end
+      end
+    end
+    
+    def authorize_resource
+      @controller.unauthorized! if @controller.cannot?(params[:action].to_sym, resource.model_instance || resource.model_class)
+    end
+    
+    private
+    
+    def resource
+      @resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
+    end
+    
+    def parent_resource
+      parent = nil
+      [@options[:nested]].flatten.compact.each do |name|
+        id = @params["#{name}_id".to_sym]
+        if id
+          parent = ControllerResource.new(@controller, name, parent)
+          parent.find(id)
+        else
+          parent = nil
+        end
+      end
+      parent
+    end
+    
+    def model_name
+      params[:controller].split('/').last.singularize
+    end
+    
+    def collection_actions
+      [:index] + [@options[:collection]].flatten
+    end
+    
+    def new_actions
+      [:new, :create] + [@options[:new]].flatten
+    end
+  end
+end

spec/cancan/ability_spec.rb

@@ -2,9 +2,8 @@ require File.dirname(__FILE__) + '/../spec_helper'
 
 describe CanCan::Ability do
   before(:each) do
-    @ability_class = Class.new
+    @ability = Object.new
-    @ability_class.send(:include, CanCan::Ability)
+    @ability.extend(CanCan::Ability)
-    @ability = @ability_class.new
   end
   
   it "should be able to :read anything" do
@@ -50,9 +49,7 @@ describe CanCan::Ability do
   
   it "should alias update or destroy actions to modify action" do
     @ability.alias_action :update, :destroy, :to => :modify
-    @ability.can :modify, :all do |object_class, object|
+    @ability.can(:modify, :all) { :modify_called }
-      :modify_called
-    end
     @ability.can?(:update, 123).should == :modify_called
     @ability.can?(:destroy, 123).should == :modify_called
   end
@@ -99,4 +96,40 @@ describe CanCan::Ability do
     @ability.can?(:update, []).should be_true
     @ability.can?(:update, 123).should be_false
   end
+  
+  it "should support custom objects in the can definition" do
+    @ability.can :read, :stats
+    @ability.can?(:read, :stats).should be_true
+    @ability.can?(:update, :stats).should be_false
+    @ability.can?(:read, :nonstats).should be_false
+  end
+  
+  it "should support 'cannot' method to define what user cannot do" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 123).should be_false
+  end
+  
+  it "should support block on 'cannot' method" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer do |int|
+      int > 5
+    end
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 3).should be_true
+    @ability.can?(:read, 123).should be_false
+  end
+  
+  it "should append aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.alias_action :destroy, :to => :modify
+    @ability.aliased_actions[:modify].should == [:update, :destroy]
+  end
+  
+  it "should clear aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.clear_aliased_actions
+    @ability.aliased_actions[:modify].should be_nil
+  end
 end

spec/cancan/controller_additions_spec.rb

@@ -1,24 +1,24 @@
 require File.dirname(__FILE__) + '/../spec_helper'
 
-class Ability
-  include CanCan::Ability
-  
-  def initialize(user)
-  end
-end
-
 describe CanCan::ControllerAdditions do
   before(:each) do
     @controller_class = Class.new
     @controller = @controller_class.new
+    stub(@controller).params { {} }
     mock(@controller_class).helper_method(:can?, :cannot?)
     @controller_class.send(:include, CanCan::ControllerAdditions)
   end
   
-  it "should read from the cache with request uri as key and render that text" do
+  it "should raise access denied with default message when calling unauthorized!" do
     lambda {
       @controller.unauthorized!
-    }.should raise_error(CanCan::AccessDenied)
+    }.should raise_error(CanCan::AccessDenied, "You are not authorized to access this page.")
+  end
+  
+  it "should raise access denied with custom message when calling unauthorized!" do
+    lambda {
+      @controller.unauthorized! "Access denied!"
+    }.should raise_error(CanCan::AccessDenied, "Access denied!")
   end
   
   it "should have a current_ability method which generates an ability for the current user" do
@@ -33,60 +33,21 @@ describe CanCan::ControllerAdditions do
     @controller.cannot?(:foo, :bar).should be_true
   end
   
-  it "should load the resource if params[:id] is specified" do
+  it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(@controller).params { {:controller => "abilities", :action => "show", :id => 123} }
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
-    stub(Ability).find(123) { :some_resource }
+    mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
-    @controller.load_resource
+    @controller_class.load_and_authorize_resource :foo => :bar
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
   
-  it "should build a new resource with hash if params[:id] is not specified" do
+  it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(@controller).params { {:controller => "abilities", :action => "create", :ability => {:foo => "bar"}} }
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
-    stub(Ability).new(:foo => "bar") { :some_resource }
+    mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
-    @controller.load_resource
+    @controller_class.authorize_resource :foo => :bar, :except => :show
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
   
-  it "should build a new resource even if attribute hash isn't specified" do
+  it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(@controller).params { {:controller => "abilities", :action => "new"} }
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
-    stub(Ability).new(nil) { :some_resource }
+    mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
-    @controller.load_resource
+    @controller_class.load_resource :foo => :bar, :only => [:show, :index]
-    @controller.instance_variable_get(:@ability).should == :some_resource
-  end
-  
-  it "should not build a resource when on index action" do
-    stub(@controller).params { {:controller => "abilities", :action => "index"} }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should be_nil
-  end
-  
-  it "should perform authorization using controller action and loaded model" do
-    @controller.instance_variable_set(:@ability, :some_resource)
-    stub(@controller).params { {:controller => "abilities", :action => "show"} }
-    stub(@controller).can?(:show, :some_resource) { false }
-    lambda {
-      @controller.authorize_resource
-    }.should raise_error(CanCan::AccessDenied)
-  end
-  
-  it "should perform authorization using controller action and non loaded model" do
-    stub(@controller).params { {:controller => "abilities", :action => "show"} }
-    stub(@controller).can?(:show, Ability) { false }
-    lambda {
-      @controller.authorize_resource
-    }.should raise_error(CanCan::AccessDenied)
-  end
-  
-  it "should load and authorize resource in one call" do
-    mock(@controller).load_resource
-    stub(@controller).authorize_resource
-    @controller.load_and_authorize_resource
-  end
-  
-  it "should properly load resource for namespaced controller" do
-    stub(@controller).params { {:controller => "admin/abilities", :action => "show", :id => 123} }
-    stub(Ability).find(123) { :some_resource }
-    @controller.load_resource
-    @controller.instance_variable_get(:@ability).should == :some_resource
   end
 end

spec/cancan/controller_resource_spec.rb

@@ -0,0 +1,49 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe CanCan::ControllerResource do
+  before(:each) do
+    @controller = Object.new
+  end
+  
+  it "should determine model class by constantizing give name" do
+    CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
+  end
+  
+  it "should fetch model through model class and assign it to the instance" do
+    stub(Ability).find(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should fetch model through parent and assign it to the instance" do
+    parent = Object.new
+    stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should build model through model class and assign it to the instance" do
+    stub(Ability).new(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability).build(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should build model through parent and assign it to the instance" do
+    parent = Object.new
+    stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should not load resource if instance variable is already provided" do
+    @controller.instance_variable_set(:@ability, :some_ability)
+    CanCan::ControllerResource.new(@controller, :ability).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should use the model class option if provided" do
+    stub(Person).find(123) { :some_resource }
+    CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+end

spec/cancan/resource_authorization_spec.rb

@@ -0,0 +1,115 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe CanCan::ResourceAuthorization do
+  before(:each) do
+    @controller = Object.new # simple stub for now
+    stub(@controller).unauthorized! { raise CanCan::AccessDenied }
+  end
+  
+  it "should load the resource into an instance variable if params[:id] is specified" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should properly load resource for namespaced controller" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should build a new resource with hash if params[:id] is not specified" do
+    stub(Ability).new(:foo => "bar") { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should build a new resource even if attribute hash isn't specified" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should not build a resource when on index action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should perform authorization using controller action and loaded model" do
+    @controller.instance_variable_set(:@ability, :some_resource)
+    stub(@controller).cannot?(:show, :some_resource) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  
+  it "should perform authorization using controller action and non loaded model" do
+    stub(@controller).cannot?(:show, Ability) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  
+  it "should call load_resource and authorize_resource for load_and_authorize_resource" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    mock(authorization).load_resource
+    mock(authorization).authorize_resource
+    authorization.load_and_authorize_resource
+  end
+  
+  it "should not build a resource when on custom collection action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should build a resource when on custom new action even when params[:id] exists" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  
+  it "should not try to load resource for other action if params[:id] is undefined" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  
+  it "should load nested resource and fetch other resource through the association" do
+    stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should load nested resource and build resource through a deep association" do
+    stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should not load nested resource and build through this if *_id param isn't specified" do
+    stub(Person).find(456) { :some_person }
+    stub(Ability).new(nil) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456}, {:nested => [:person, :behavior]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@person).should == :some_person
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should load the model using a custom class" do
+    stub(Person).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+end

spec/spec_helper.rb

@@ -9,3 +9,14 @@ require File.dirname(__FILE__) + '/../lib/cancan.rb'
 Spec::Runner.configure do |config|
   config.mock_with :rr
 end
+
+class Ability
+  include CanCan::Ability
+  
+  def initialize(user)
+  end
+end
+
+# this class helps out in testing nesting
+class Person
+end