will/cancan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: will:0.2.0
Branches Tags
will:master will:2.0
will:1.6.10 will:1.6.9 will:1.6.8 will:1.6.7 will:1.6.6 will:1.6.5 will:1.6.4 will:1.6.3 will:1.6.2 will:1.6.1 will:1.6.0 will:1.5.1 will:1.5.0 will:1.4.1 will:1.4.0 will:1.3.4 will:1.3.3 will:1.3.2 will:1.3.1 will:1.3.0 will:1.2.0 will:1.1.1 will:1.1 will:1.0.2 will:1.0.1 will:1.0.0 will:0.2.1 will:0.2.0 will:0.1.0
..
compare: will:1.0.1
Branches Tags
will:master will:2.0
will:1.6.10 will:1.6.9 will:1.6.8 will:1.6.7 will:1.6.6 will:1.6.5 will:1.6.4 will:1.6.3 will:1.6.2 will:1.6.1 will:1.6.0 will:1.5.1 will:1.5.0 will:1.4.1 will:1.4.0 will:1.3.4 will:1.3.3 will:1.3.2 will:1.3.1 will:1.3.0 will:1.2.0 will:1.1.1 will:1.1 will:1.0.2 will:1.0.1 will:1.0.0 will:0.2.1 will:0.2.0 will:0.1.0

23 Commits
0.2.0 ... 1.0.1

Author SHA1 Message Date
Ryan Bates
f919ac53bb releasing gem v1.0.1 2009-12-14 08:37:30 -08:00
Ryan Bates
021f33c9a0 Adding :class option to load_resource so one can customize which class to use for the model - closes #17 2009-12-14 08:31:49 -08:00
Ryan Bates
e9f01300b6 Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - closes #14 2009-12-14 08:18:08 -08:00
Ryan Bates
f7480d1f5a releasing gem v1.0.0 (backwards incompatible, see changelog) 2009-12-13 13:47:49 -08:00
Ryan Bates
ffa677b2b0 Don't set resource instance variable if it has been set already - closes #13 2009-12-13 12:32:09 -08:00
Ryan Bates
a75aee751b Allowing :nested option to accept an array for deep nesting 2009-12-13 12:22:05 -08:00
Ryan Bates
51fa61bbae refactoring out resource loading/building logic into separate class 2009-12-13 12:11:02 -08:00
Ryan Bates
cd217eb9cf adding :nested option for load_resource - closes #10 2009-12-13 11:39:02 -08:00
Ryan Bates
94e031bf96 Pass :only and :except options to before filters for load/authorize resource methods. 2009-12-13 11:00:12 -08:00
Ryan Bates
63634b4f5d Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed. 2009-12-13 10:42:10 -08:00
Ryan Bates
a5f98824a0 turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments 2009-12-13 10:03:21 -08:00
Ryan Bates
43947c893d releasing gem v0.2.1 2009-11-26 10:13:22 -08:00
Ryan Bates
e32c5d0dfb calling controller's load_resource and authorize_resource from load_and_authorize_resource to maintain backwards compatability, even though it's not the most efficient way 2009-11-26 09:53:16 -08:00
Ryan Bates
da5a5c031f refactoring out controller logic into separate ResourceAuthorization class - closes #11 2009-11-26 09:29:53 -08:00
Rafael Silva
e92a7d8bf4 Some refactor to be more DRY 2009-11-26 09:38:14 +08:00
Ryan Bates
c40490d672 refactoring ability can? method - closes #12 2009-11-25 17:31:40 -08:00
Ryan Bates
d4405e6070 adding cannot method to define which abilities cannot be done - closes #7 2009-11-25 10:25:58 -08:00
Ryan Bates
e60365505c support custom objects (usually symbols) in can definition - closes #8 2009-11-25 09:55:50 -08:00
Ryan Bates
5bd1a85410 little fixes to inline documentation (rdocs) 2009-11-19 09:46:30 -08:00
Ryan Bates
0ae41f57b8 mentioning wiki in readme 2009-11-18 16:37:10 -08:00
Ryan Bates
b145a98488 linking to the RDocs from README 2009-11-17 17:02:20 -08:00
Ryan Bates
b9227eb971 adding a lot of inline documentation to code for rdocs 2009-11-17 16:56:16 -08:00
Ryan Bates
072cb0f2de fixing spacing issues in README 2009-11-17 12:59:44 -08:00
13 changed files with 737 additions and 178 deletions
Expand all files Collapse all files

31
CHANGELOG.rdoc
View File

@@ -1,3 +1,34 @@
1.0.1 (Dec 14, 2009)
* Adding :class option to load_resource so one can customize which class to use for the model - see issue #17
* Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14
1.0.0 (Dec 13, 2009)
* Don't set resource instance variable if it has been set already - see issue #13
* Allowing :nested option to accept an array for deep nesting
* Adding :nested option to load resource method - see issue #10
* Pass :only and :except options to before filters for load/authorize resource methods.
* Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
* BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
0.2.1 (Nov 26, 2009)
* many internal refactorings - see issues #11 and #12
* adding "cannot" method to define which abilities cannot be done - see issue #7
* support custom objects (usually symbols) in can definition - see issue #8
0.2.0 (Nov 17, 2009)
* fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3

113
README.rdoc
View File

@@ -4,12 +4,13 @@ This is a simple authorization solution for Ruby on Rails to restrict what a giv
This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
See the RDocs[http://rdoc.info/projects/ryanb/cancan] and Wiki[http://wiki.github.com/ryanb/cancan] for additional documentation.
== Installation
You can set it up as a gem in your environment.rb file.
config.gem "cancan", :source => "http://gemcutter.org"
config.gem "cancan"
And then install the gem.
@@ -20,7 +21,7 @@ Alternatively you can install it as a Rails plugin.
script/plugin install git://github.com/ryanb/cancan.git
== Setup
== Getting Started
First, define a class called Ability in "models/ability.rb".
@@ -51,10 +52,10 @@ You can also use these methods in a controller along with the "unauthorized!" me
unauthorized! if cannot? :read, @article
end
Setting this for every action can be tedious, therefore a before filter is also provided to automatically authorize all actions in a RESTful style resource controller.
Setting this for every action can be tedious, therefore the load_and_authorize_resource method is also provided to automatically authorize all actions in a RESTful style resource controller. It will set up a before filter which loads the resource into the instance variable and authorizes it.
class ArticlesController < ApplicationController
before_filter :load_and_authorize_resource
load_and_authorize_resource
def show
# @article is already loaded
@@ -64,11 +65,7 @@ Setting this for every action can be tedious, therefore a before filter is also
If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.
class ApplicationController < ActionController::Base
rescue_from CanCan::AccessDenied, :with => :access_denied
protected
def access_denied
rescue_from CanCan::AccessDenied do |exception|
flash[:error] = "Sorry, you are not allowed to access that page."
redirect_to root_url
end
@@ -111,16 +108,10 @@ You can also pass :manage as the action which will match any action. In this cas
action != :destroy
end
Finally, you can use the "alias_action" method to alias one or more actions into one.
Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
alias_action :update, :destroy, :to => :modify
can :modify, Comment
The following aliases are added by default for conveniently mapping common controller actions.
alias_action :index, :show, :to => :read
alias_action :new, :to => :create
alias_action :edit, :to => :update
can :read, :all
cannot :read, Product
== Checking Abilities
@@ -140,22 +131,44 @@ The "cannot?" method is for convenience and performs the opposite check of "can?
cannot? :destroy, @project
== Custom Actions
== Aliasing Actions
You can have fine grained control over abilities by coming up with new actions. For example, if only pro users are allowed to upload a picture for their product, you could add the following restrictions.
You can use the "alias_action" method to alias one or more actions into one.
# ability.rb
can :upload_picture, Project if user.pro?
alias_action :update, :destroy, :to => :modify
can :modify, Comment
can? :update, Comment # => true
# projects/_form.html.erb
<%= f.file_field :picture if can? :upload_picture, @project %>
The following aliases are added by default for conveniently mapping common controller actions.
# projects_controller.rb
def update
unauthorized! if params[:project][:upload_picture] && cannot?(:upload_picture, @project)
# ...
alias_action :index, :show, :to => :read
alias_action :new, :to => :create
alias_action :edit, :to => :update
== Authorizing Controller Actions
As mentioned in the Getting Started section, you can use the +load_and_authorize_resource+ method in your controller to load the resource into an instance variable and authorize it. If you have a nested resource you can specify that as well.
load_and_authorize_resource :nested => :author
You can also pass an array to the :+nested+ attribute for deep nesting.
If you want to customize the loading behavior on certain actions, you can do so in a before filter.
class BooksController < ApplicationController
before_filter :find_book_by_permalink, :only => :show
load_and_authorize_resource
private
def find_book_by_permalink
@book = Book.find_by_permalink!(params[:id)
end
end
Here the @book instance variable is already set so it will not be loaded again for that action. This works for nested resources as well.
== Assumptions & Configuring
@@ -173,48 +186,16 @@ You can override these by overriding the "current_ability" method in your Applic
That's it!
== Permissions in Database
Perhaps a non-coder needs the ability to modify the user abilities, or you want to change them without having to re-deploy the application. In that case it may be best to store the permission logic in a separate model, let's call it Permission. It is easy to use the database records when defining abilities.
For example, let's assume that each user has_many :permissions, and each permission has "action", "object_type" and "object_id" columns. The last of which is optional.
class Ability
include CanCan::Ability
def initialize(user)
can :manage, :all do |action, object_class, object|
user.permissions.find_all_by_action(action).any? do |permission|
permission.object_type == object_class.to_s &&
(object.nil? || permission.object_id.nil? || permission.object_id == object.id)
end
end
end
end
An alternatie approach is to define a separate "can" ability for each permission.
def initialize(user)
user.permissions.each do |permission|
can permission.action, permission.object_type.constantize do |object|
object.nil? || permission.object_id.nil? || permission.object_id == object.id
end
end
end
The actual details will depend largely on your application requirements, but hopefully you can see how it's possible to define permissions in the database and use them with CanCan.
== Testing Abilities
It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
def test "user can only destroy projects which he owns"
user = User.new
ability = Ability.new(user)
assert ability.can?(:destroy, Project.new(:user => user))
assert ability.cannot?(:destroy, Project.new)
end
def test "user can only destroy projects which he owns"
user = User.new
ability = Ability.new(user)
assert ability.can?(:destroy, Project.new(:user => user))
assert ability.cannot?(:destroy, Project.new)
end
== Special Thanks

4
cancan.gemspec
View File

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
s.homepage = "http://github.com/ryanb/cancan"
s.version = "0.2.0"
s.date = "2009-11-17"
s.version = "1.0.1"
s.date = "2009-12-14"
s.authors = ["Ryan Bates"]
s.email = "ryan@railscasts.com"

4
lib/cancan.rb
View File

@@ -1,6 +1,10 @@
module CanCan
# This error is raised when a user isn't allowed to access a given
# controller action. See ControllerAdditions#unauthorized! for details.
class AccessDenied < StandardError; end
end
require File.dirname(__FILE__) + '/cancan/ability'
require File.dirname(__FILE__) + '/cancan/controller_resource'
require File.dirname(__FILE__) + '/cancan/resource_authorization'
require File.dirname(__FILE__) + '/cancan/controller_additions'

203
lib/cancan/ability.rb
View File

@@ -1,49 +1,168 @@
module CanCan
# This module is designed to be included into an Ability class. This will
# provide the "can" methods for defining and checking abilities.
#
# class Ability
# include CanCan::Ability
#
# def initialize(user)
# if user.admin?
# can :manage, :all
# else
# can :read, :all
# end
# end
# end
#
module Ability
attr_accessor :user
def can?(original_action, target) # TODO this could use some refactoring
(@can_history || []).reverse.each do |can_action, can_target, can_block|
can_actions = [can_action].flatten
can_targets = [can_target].flatten
possible_actions_for(original_action).each do |action|
if (can_actions.include?(:manage) || can_actions.include?(action)) && (can_targets.include?(:all) || can_targets.include?(target) || can_targets.any? { |c| target.kind_of?(c) })
if can_block.nil?
return true
else
block_args = []
block_args << action if can_actions.include?(:manage)
block_args << (target.class == Class ? target : target.class) if can_targets.include?(:all)
block_args << (target.class == Class ? nil : target)
return can_block.call(*block_args)
end
end
# Use to check the user's permission for a given action and object.
#
# can? :destroy, @project
#
# You can also pass the class instead of an instance (if you don't have one handy).
#
# can? :create, Project
#
# Not only can you use the can? method in the controller and view (see ControllerAdditions),
# but you can also call it directly on an ability instance.
#
# ability.can? :destroy, @project
#
# This makes testing a user's abilities very easy.
#
# def test "user can only destroy projects which he owns"
# user = User.new
# ability = Ability.new(user)
# assert ability.can?(:destroy, Project.new(:user => user))
# assert ability.cannot?(:destroy, Project.new)
# end
#
def can?(action, noun)
(@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
defined_actions = expand_actions(defined_action)
defined_nouns = [defined_noun].flatten
if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
return base_behavior ? result : !result
end
end
false
end
# Convenience method which works the same as "can?" but returns the opposite value.
#
# cannot? :destroy, @project
#
def cannot?(*args)
!can?(*args)
end
def possible_actions_for(initial_action)
actions = [initial_action]
(@aliased_actions || default_alias_actions).each do |target, aliases|
actions += possible_actions_for(target) if aliases.include? initial_action
end
actions
# Defines which abilities are allowed using two arguments. The first one is the action
# you're setting the permission for, the second one is the class of object you're setting it on.
#
# can :update, Article
#
# You can pass an array for either of these parameters to match any one.
#
# can [:update, :destroy], [Article, Comment]
#
# In this case the user has the ability to update or destroy both articles and comments.
#
# You can pass a block to provide logic based on the article's attributes.
#
# can :update, Article do |article|
# article && article.user == user
# end
#
# If the block returns true then the user has that :update ability for that article, otherwise he
# will be denied access. It's possible for the passed in model to be nil if one isn't specified,
# so be sure to take that into consideration.
#
# You can pass :all to reference every type of object. In this case the object type will be passed
# into the block as well (just in case object is nil).
#
# can :read, :all do |object_class, object|
# object_class != Order
# end
#
# Here the user has permission to read all objects except orders.
#
# You can also pass :manage as the action which will match any action. In this case the action is
# passed to the block.
#
# can :manage, Comment do |action, comment|
# action != :destroy
# end
#
# You can pass custom objects into this "can" method, this is usually done through a symbol
# and is useful if a class isn't available to define permissions on.
#
# can :read, :stats
# can? :read, :stats # => true
#
def can(action, noun, &block)
@can_definitions ||= []
@can_definitions << [true, action, noun, block]
end
def can(action, target, &block)
@can_history ||= []
@can_history << [action, target, block]
# Define an ability which cannot be done. Accepts the same arguments as "can".
#
# can :read, :all
# cannot :read, Comment
#
# A block can be passed just like "can", however if the logic is complex it is recommended
# to use the "can" method.
#
# cannot :read, Product do |product|
# product.invisible?
# end
#
def cannot(action, noun, &block)
@can_definitions ||= []
@can_definitions << [false, action, noun, block]
end
# Alias one or more actions into another one.
#
# alias_action :update, :destroy, :to => :modify
# can :modify, Comment
#
# Then :modify permission will apply to both :update and :destroy requests.
#
# can? :update, Comment # => true
# can? :destroy, Comment # => true
#
# This only works in one direction. Passing the aliased action into the "can?" call
# will not work because aliases are meant to generate more generic actions.
#
# alias_action :update, :destroy, :to => :modify
# can :update, Comment
# can? :modify, Comment # => false
#
# Unless that exact alias is used.
#
# can :modify, Comment
# can? :modify, Comment # => true
#
# The following aliases are added by default for conveniently mapping common controller actions.
#
# alias_action :index, :show, :to => :read
# alias_action :new, :to => :create
# alias_action :edit, :to => :update
#
# This way one can use params[:action] in the controller to determine the permission.
def alias_action(*args)
@aliased_actions ||= default_alias_actions
target = args.pop[:to]
@aliased_actions[target] = args
aliased_actions[target] = args
end
private
def aliased_actions
@aliased_actions ||= default_alias_actions
end
def default_alias_actions
@@ -53,5 +172,35 @@ module CanCan
:update => [:edit],
}
end
def expand_actions(actions)
[actions].flatten.map do |action|
if aliased_actions[action]
[action, *aliased_actions[action]]
else
action
end
end.flatten
end
def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
if defined_block.nil?
true
else
block_args = []
block_args << action if defined_actions.include?(:manage)
block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
block_args << (noun.class == Class ? nil : noun)
return defined_block.call(*block_args)
end
end
def includes_action?(actions, action)
actions.include?(:manage) || actions.include?(action)
end
def includes_noun?(nouns, noun)
nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
end
end
end

180
lib/cancan/controller_additions.rb
View File

@@ -1,45 +1,183 @@
module CanCan
# This module is automatically included into all controllers.
# It also makes the "can?" and "cannot?" methods available to all views.
module ControllerAdditions
module ClassMethods
# Sets up a before filter which loads and authorizes the current resource. This performs both
# load_resource and authorize_resource and accepts the same arguments. See those methods for details.
#
# class BooksController < ApplicationController
# load_and_authorize_resource
# end
#
def load_and_authorize_resource(options = {})
before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_and_authorize_resource }
end
# Sets up a before filter which loads the appropriate model resource into an instance variable.
# For example, given an ArticlesController it will load the current article into the @article
# instance variable. It does this by either calling Article.find(params[:id]) or
# Article.new(params[:article]) depending upon the action. It does nothing for the "index"
# action.
#
# Call this method directly on the controller class.
#
# class BooksController < ApplicationController
# load_resource
# end
#
# A resource is not loaded if the instance variable is already set. This makes it easy to override
# the behavior through a before_filter on certain actions.
#
# class BooksController < ApplicationController
# before_filter :find_book_by_permalink, :only => :show
# load_resource
#
# private
#
# def find_book_by_permalink
# @book = Book.find_by_permalink!(params[:id)
# end
# end
#
# See load_and_authorize_resource to automatically authorize the resource too.
#
# Options:
# [:+only+]
# Only applies before filter to given actions.
#
# [:+except+]
# Does not apply before filter to given actions.
#
# [:+nested+]
# Specify which resource this is nested under.
#
# load_resource :nested => :author
#
# Deep nesting can be defined in an array.
#
# load_resource :nested => [:publisher, :author]
#
# [:+class+]
# The class to use for the model.
#
# [:+collection+]
# Specify which actions are resource collection actions in addition to :+index+. This
# is usually not necessary because it will try to guess depending on if an :+id+
# is present in +params+.
#
# load_resource :collection => [:sort, :list]
#
# [:+new+]
# Specify which actions are new resource actions in addition to :+new+ and :+create+.
# Pass an action name into here if you would like to build a new resource instead of
# fetch one.
#
# load_resource :new => :build
#
def load_resource(options = {})
before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_resource }
end
# Sets up a before filter which authorizes the current resource using the instance variable.
# For example, if you have an ArticlesController it will check the @article instance variable
# and ensure the user can perform the current action on it. Under the hood it is doing
# something like the following.
#
# unauthorized! if cannot?(params[:action].to_sym, @article || Article)
#
# Call this method directly on the controller class.
#
# class BooksController < ApplicationController
# authorize_resource
# end
#
# See load_and_authorize_resource to automatically load the resource too.
#
# Options:
# [:+only+]
# Only applies before filter to given actions.
#
# [:+except+]
# Does not apply before filter to given actions.
#
# [:+class+]
# The class to use for the model.
#
def authorize_resource(options = {})
before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).authorize_resource }
end
end
def self.included(base)
base.extend ClassMethods
base.helper_method :can?, :cannot?
end
# Raises the CanCan::AccessDenied exception. This is often used in a
# controller action to mark a request as unauthorized.
#
# def show
# @article = Article.find(params[:id])
# unauthorized! if cannot? :read, @article
# end
#
# You can rescue from the exception in the controller to specify
# the user experience.
#
# class ApplicationController < ActionController::Base
# rescue_from CanCan::AccessDenied, :with => :access_denied
#
# protected
#
# def access_denied
# flash[:error] = "Sorry, you are not allowed to access that page."
# redirect_to root_url
# end
# end
#
# See the load_and_authorize_resource method to automatically add
# the "unauthorized!" behavior to a RESTful controller's actions.
def unauthorized!
raise AccessDenied, "You are unable to access this page."
end
# Creates and returns the current user's ability. You generally do not invoke
# this method directly, instead you can override this method to change its
# behavior if the Ability class or current_user method are different.
#
# def current_ability
# UserAbility.new(current_account) # instead of Ability.new(current_user)
# end
#
def current_ability
::Ability.new(current_user)
end
# Use in the controller or view to check the user's permission for a given action
# and object.
#
# can? :destroy, @project
#
# You can also pass the class instead of an instance (if you don't have one handy).
#
# <% if can? :create, Project %>
# <%= link_to "New Project", new_project_path %>
# <% end %>
#
# This simply calls "can?" on the current_ability. See Ability#can?.
def can?(*args)
(@current_ability ||= current_ability).can?(*args)
end
# Convenience method which works the same as "can?" but returns the opposite value.
#
# cannot? :destroy, @project
#
def cannot?(*args)
(@current_ability ||= current_ability).cannot?(*args)
end
def load_resource # TODO this could use some refactoring
model_name = params[:controller].split('/').last.singularize
unless params[:action] == "index"
if params[:id]
instance_variable_set("@#{model_name}", model_name.camelcase.constantize.find(params[:id]))
else
instance_variable_set("@#{model_name}", model_name.camelcase.constantize.new(params[model_name.to_sym]))
end
end
end
def authorize_resource # TODO this could use some refactoring
model_name = params[:controller].split('/').last.singularize
unauthorized! unless can?(params[:action].to_sym, instance_variable_get("@#{model_name}") || model_name.camelcase.constantize)
end
def load_and_authorize_resource
load_resource
authorize_resource
end
end
end

40
lib/cancan/controller_resource.rb Normal file
View File

@@ -0,0 +1,40 @@
module CanCan
class ControllerResource # :nodoc:
def initialize(controller, name, parent = nil, options = {})
@controller = controller
@name = name
@parent = parent
@options = options
end
def model_class
@options[:class] || @name.to_s.camelize.constantize
end
def find(id)
self.model_instance ||= base.find(id)
end
def build(attributes)
if base.kind_of? Class
self.model_instance ||= base.new(attributes)
else
self.model_instance ||= base.build(attributes)
end
end
def model_instance
@controller.instance_variable_get("@#{@name}")
end
def model_instance=(instance)
@controller.instance_variable_set("@#{@name}", instance)
end
private
def base
@parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
end
end
end

62
lib/cancan/resource_authorization.rb Normal file
View File

@@ -0,0 +1,62 @@
module CanCan
class ResourceAuthorization # :nodoc:
attr_reader :params
def initialize(controller, params, options = {})
@controller = controller
@params = params
@options = options
end
def load_and_authorize_resource
load_resource
authorize_resource
end
def load_resource
unless collection_actions.include? params[:action].to_sym
if new_actions.include? params[:action].to_sym
resource.build(params[model_name.to_sym])
elsif params[:id]
resource.find(params[:id])
end
end
end
def authorize_resource
@controller.unauthorized! if @controller.cannot?(params[:action].to_sym, resource.model_instance || resource.model_class)
end
private
def resource
@resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
end
def parent_resource
parent = nil
[@options[:nested]].flatten.compact.each do |name|
id = @params["#{name}_id".to_sym]
if id
parent = ControllerResource.new(@controller, name, parent)
parent.find(id)
else
parent = nil
end
end
parent
end
def model_name
params[:controller].split('/').last.singularize
end
def collection_actions
[:index] + [@options[:collection]].flatten
end
def new_actions
[:new, :create] + [@options[:new]].flatten
end
end
end

24
spec/cancan/ability_spec.rb
View File

@@ -99,4 +99,28 @@ describe CanCan::Ability do
@ability.can?(:update, []).should be_true
@ability.can?(:update, 123).should be_false
end
it "should support custom objects in the can definition" do
@ability.can :read, :stats
@ability.can?(:read, :stats).should be_true
@ability.can?(:update, :stats).should be_false
@ability.can?(:read, :nonstats).should be_false
end
it "should support 'cannot' method to define what user cannot do" do
@ability.can :read, :all
@ability.cannot :read, Integer
@ability.can?(:read, "foo").should be_true
@ability.can?(:read, 123).should be_false
end
it "should support block on 'cannot' method" do
@ability.can :read, :all
@ability.cannot :read, Integer do |int|
int > 5
end
@ability.can?(:read, "foo").should be_true
@ability.can?(:read, 3).should be_true
@ability.can?(:read, 123).should be_false
end
end

71
spec/cancan/controller_additions_spec.rb
View File

@@ -1,16 +1,10 @@
require File.dirname(__FILE__) + '/../spec_helper'
class Ability
include CanCan::Ability
def initialize(user)
end
end
describe CanCan::ControllerAdditions do
before(:each) do
@controller_class = Class.new
@controller = @controller_class.new
stub(@controller).params { {} }
mock(@controller_class).helper_method(:can?, :cannot?)
@controller_class.send(:include, CanCan::ControllerAdditions)
end
@@ -33,60 +27,21 @@ describe CanCan::ControllerAdditions do
@controller.cannot?(:foo, :bar).should be_true
end
it "should load the resource if params[:id] is specified" do
stub(@controller).params { {:controller => "abilities", :action => "show", :id => 123} }
stub(Ability).find(123) { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
@controller_class.load_and_authorize_resource :foo => :bar
end
it "should build a new resource with hash if params[:id] is not specified" do
stub(@controller).params { {:controller => "abilities", :action => "create", :ability => {:foo => "bar"}} }
stub(Ability).new(:foo => "bar") { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
@controller_class.authorize_resource :foo => :bar, :except => :show
end
it "should build a new resource even if attribute hash isn't specified" do
stub(@controller).params { {:controller => "abilities", :action => "new"} }
stub(Ability).new(nil) { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not build a resource when on index action" do
stub(@controller).params { {:controller => "abilities", :action => "index"} }
@controller.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).params { {:controller => "abilities", :action => "show"} }
stub(@controller).can?(:show, :some_resource) { false }
lambda {
@controller.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and non loaded model" do
stub(@controller).params { {:controller => "abilities", :action => "show"} }
stub(@controller).can?(:show, Ability) { false }
lambda {
@controller.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should load and authorize resource in one call" do
mock(@controller).load_resource
stub(@controller).authorize_resource
@controller.load_and_authorize_resource
end
it "should properly load resource for namespaced controller" do
stub(@controller).params { {:controller => "admin/abilities", :action => "show", :id => 123} }
stub(Ability).find(123) { :some_resource }
@controller.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
@controller_class.load_resource :foo => :bar, :only => [:show, :index]
end
end

49
spec/cancan/controller_resource_spec.rb Normal file
View File

@@ -0,0 +1,49 @@
require File.dirname(__FILE__) + '/../spec_helper'
describe CanCan::ControllerResource do
before(:each) do
@controller = Object.new
end
it "should determine model class by constantizing give name" do
CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
end
it "should fetch model through model class and assign it to the instance" do
stub(Ability).find(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should fetch model through parent and assign it to the instance" do
parent = Object.new
stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should build model through model class and assign it to the instance" do
stub(Ability).new(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability).build(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should build model through parent and assign it to the instance" do
parent = Object.new
stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should not load resource if instance variable is already provided" do
@controller.instance_variable_set(:@ability, :some_ability)
CanCan::ControllerResource.new(@controller, :ability).find(123)
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should use the model class option if provided" do
stub(Person).find(123) { :some_resource }
CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person).find(123)
@controller.instance_variable_get(:@ability).should == :some_resource
end
end

115
spec/cancan/resource_authorization_spec.rb Normal file
View File

@@ -0,0 +1,115 @@
require File.dirname(__FILE__) + '/../spec_helper'
describe CanCan::ResourceAuthorization do
before(:each) do
@controller = Object.new # simple stub for now
stub(@controller).unauthorized! { raise CanCan::AccessDenied }
end
it "should load the resource into an instance variable if params[:id] is specified" do
stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should properly load resource for namespaced controller" do
stub(Ability).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource with hash if params[:id] is not specified" do
stub(Ability).new(:foo => "bar") { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should build a new resource even if attribute hash isn't specified" do
stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not build a resource when on index action" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should perform authorization using controller action and loaded model" do
@controller.instance_variable_set(:@ability, :some_resource)
stub(@controller).cannot?(:show, :some_resource) { true }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda {
authorization.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should perform authorization using controller action and non loaded model" do
stub(@controller).cannot?(:show, Ability) { true }
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
lambda {
authorization.authorize_resource
}.should raise_error(CanCan::AccessDenied)
end
it "should call load_resource and authorize_resource for load_and_authorize_resource" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
mock(authorization).load_resource
mock(authorization).authorize_resource
authorization.load_and_authorize_resource
end
it "should not build a resource when on custom collection action" do
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should build a resource when on custom new action even when params[:id] exists" do
stub(Ability).new(nil) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
it "should not try to load resource for other action if params[:id] is undefined" do
authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
authorization.load_resource
@controller.instance_variable_get(:@ability).should be_nil
end
it "should load nested resource and fetch other resource through the association" do
stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should load nested resource and build resource through a deep association" do
stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should not load nested resource and build through this if *_id param isn't specified" do
stub(Person).find(456) { :some_person }
stub(Ability).new(nil) { :some_ability }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456}, {:nested => [:person, :behavior]})
authorization.load_resource
@controller.instance_variable_get(:@person).should == :some_person
@controller.instance_variable_get(:@ability).should == :some_ability
end
it "should load the model using a custom class" do
stub(Person).find(123) { :some_resource }
authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
authorization.load_resource
@controller.instance_variable_get(:@ability).should == :some_resource
end
end

11
spec/spec_helper.rb
View File

@@ -9,3 +9,14 @@ require File.dirname(__FILE__) + '/../lib/cancan.rb'
Spec::Runner.configure do |config|
config.mock_with :rr
end
class Ability
include CanCan::Ability
def initialize(user)
end
end
# this class helps out in testing nesting
class Person
end