releasing v1.0.2

CHANGELOG.rdoc

@@ -1,3 +1,19 @@
+1.0.2 (Dec 30, 2009)
+
+* Adding clear_aliased_actions to Ability which removes previously defined actions including defaults - see issue #20
+
+* Append aliased actions (don't overwrite them) - see issue #20
+
+* Adding custom message argument to unauthorized! method (thanks tjwallace) - see issue #18
+
+
+1.0.1 (Dec 14, 2009)
+
+* Adding :class option to load_resource so one can customize which class to use for the model - see issue #17
+
+* Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14
+
+
 1.0.0 (Dec 13, 2009)
 
 * Don't set resource instance variable if it has been set already - see issue #13

README.rdoc

@@ -1,11 +1,11 @@
 = CanCan
 
+RDocs[http://rdoc.info/projects/ryanb/cancan] | Wiki[http://wiki.github.com/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan] | Metrics[http://getcaliper.com/caliper/project?repo=git%3A%2F%2Fgithub.com%2Fryanb%2Fcancan.git] | Tests[http://runcoderun.com/ryanb/cancan]
+
 This is a simple authorization solution for Ruby on Rails to restrict what a given user is allowed to access in the application. This is completely decoupled from any role based implementation allowing you to define user roles the way you want. All permissions are stored in a single location for convenience.
 
 This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
 
-See the RDocs[http://rdoc.info/projects/ryanb/cancan] and Wiki[http://wiki.github.com/ryanb/cancan] for additional documentation.
-
 == Installation
 
 You can set it up as a gem in your environment.rb file.
@@ -65,12 +65,8 @@ Setting this for every action can be tedious, therefore the load_and_authorize_r
 If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.
 
   class ApplicationController < ActionController::Base
-    rescue_from CanCan::AccessDenied, :with => :access_denied
+    rescue_from CanCan::AccessDenied do |exception|
-  
+      flash[:error] = exception.message
-    protected
-  
-    def access_denied
-      flash[:error] = "Sorry, you are not allowed to access that page."
       redirect_to root_url
     end
   end

Rakefile

@@ -9,3 +9,5 @@ Spec::Rake::SpecTask.new do |t|
   t.spec_files = spec_files
   t.spec_opts = ["-c"]
 end
+
+task :default => :spec

cancan.gemspec

@@ -4,8 +4,8 @@ Gem::Specification.new do |s|
   s.description = "Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience."
   s.homepage = "http://github.com/ryanb/cancan"
   
-  s.version = "1.0.0"
+  s.version = "1.0.2"
-  s.date = "2009-12-13"
+  s.date = "2009-12-30"
   
   s.authors = ["Ryan Bates"]
   s.email = "ryan@railscasts.com"

lib/cancan/ability.rb

@@ -156,15 +156,22 @@ module CanCan
     # This way one can use params[:action] in the controller to determine the permission.
     def alias_action(*args)
       target = args.pop[:to]
-      aliased_actions[target] = args
+      aliased_actions[target] ||= []
+      aliased_actions[target] += args
     end
     
-    private
+    # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
-    
     def aliased_actions
       @aliased_actions ||= default_alias_actions
     end
     
+    # Removes previously aliased actions including the defaults.
+    def clear_aliased_actions
+      @aliased_actions = {}
+    end
+    
+    private
+    
     def default_alias_actions
       {
         :read => [:index, :show],

lib/cancan/controller_additions.rb

@@ -59,6 +59,9 @@ module CanCan
       #   
       #     load_resource :nested => [:publisher, :author]
       #   
+      # [:+class+]
+      #   The class to use for the model.
+      #   
       # [:+collection+]
       #   Specify which actions are resource collection actions in addition to :+index+. This
       #   is usually not necessary because it will try to guess depending on if an :+id+
@@ -99,6 +102,9 @@ module CanCan
       # [:+except+]
       #   Does not apply before filter to given actions.
       # 
+      # [:+class+]
+      #   The class to use for the model.
+      # 
       def authorize_resource(options = {})
         before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).authorize_resource }
       end
@@ -117,24 +123,22 @@ module CanCan
     #     unauthorized! if cannot? :read, @article
     #   end
     # 
-    # You can rescue from the exception in the controller to specify
+    # The unauthorized! method accepts an optional argument which sets the
-    # the user experience.
+    # message of the exception.
+    # 
+    # You can rescue from the exception in the controller to define the behavior.
     # 
     #   class ApplicationController < ActionController::Base
-    #     rescue_from CanCan::AccessDenied, :with => :access_denied
+    #     rescue_from CanCan::AccessDenied do |exception|
-    #   
+    #       flash[:error] = exception.message
-    #     protected
-    #   
-    #     def access_denied
-    #       flash[:error] = "Sorry, you are not allowed to access that page."
     #       redirect_to root_url
     #     end
     #   end
     # 
     # See the load_and_authorize_resource method to automatically add
     # the "unauthorized!" behavior to a RESTful controller's actions.
-    def unauthorized!
+    def unauthorized!(message = "You are not authorized to access this page.")
-      raise AccessDenied, "You are unable to access this page."
+      raise AccessDenied, message
     end
     
     # Creates and returns the current user's ability. You generally do not invoke

lib/cancan/controller_resource.rb

@@ -1,13 +1,14 @@
 module CanCan
   class ControllerResource # :nodoc:
-    def initialize(controller, name, parent = nil)
+    def initialize(controller, name, parent = nil, options = {})
       @controller = controller
       @name = name
       @parent = parent
+      @options = options
     end
     
     def model_class
-      @name.to_s.camelize.constantize
+      @options[:class] || @name.to_s.camelize.constantize
     end
     
     def find(id)

lib/cancan/resource_authorization.rb

@@ -30,14 +30,19 @@ module CanCan
     private
     
     def resource
-      @resource ||= ControllerResource.new(@controller, model_name, parent_resource)
+      @resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
     end
     
     def parent_resource
       parent = nil
       [@options[:nested]].flatten.compact.each do |name|
+        id = @params["#{name}_id".to_sym]
+        if id
           parent = ControllerResource.new(@controller, name, parent)
-        parent.find(@params["#{name}_id".to_sym])
+          parent.find(id)
+        else
+          parent = nil
+        end
       end
       parent
     end

spec/cancan/ability_spec.rb

@@ -2,9 +2,8 @@ require File.dirname(__FILE__) + '/../spec_helper'
 
 describe CanCan::Ability do
   before(:each) do
-    @ability_class = Class.new
+    @ability = Object.new
-    @ability_class.send(:include, CanCan::Ability)
+    @ability.extend(CanCan::Ability)
-    @ability = @ability_class.new
   end
   
   it "should be able to :read anything" do
@@ -50,9 +49,7 @@ describe CanCan::Ability do
   
   it "should alias update or destroy actions to modify action" do
     @ability.alias_action :update, :destroy, :to => :modify
-    @ability.can :modify, :all do |object_class, object|
+    @ability.can(:modify, :all) { :modify_called }
-      :modify_called
-    end
     @ability.can?(:update, 123).should == :modify_called
     @ability.can?(:destroy, 123).should == :modify_called
   end
@@ -123,4 +120,16 @@ describe CanCan::Ability do
     @ability.can?(:read, 3).should be_true
     @ability.can?(:read, 123).should be_false
   end
+  
+  it "should append aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.alias_action :destroy, :to => :modify
+    @ability.aliased_actions[:modify].should == [:update, :destroy]
+  end
+  
+  it "should clear aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.clear_aliased_actions
+    @ability.aliased_actions[:modify].should be_nil
+  end
 end

spec/cancan/controller_additions_spec.rb

@@ -9,10 +9,16 @@ describe CanCan::ControllerAdditions do
     @controller_class.send(:include, CanCan::ControllerAdditions)
   end
   
-  it "should read from the cache with request uri as key and render that text" do
+  it "should raise access denied with default message when calling unauthorized!" do
     lambda {
       @controller.unauthorized!
-    }.should raise_error(CanCan::AccessDenied)
+    }.should raise_error(CanCan::AccessDenied, "You are not authorized to access this page.")
+  end
+  
+  it "should raise access denied with custom message when calling unauthorized!" do
+    lambda {
+      @controller.unauthorized! "Access denied!"
+    }.should raise_error(CanCan::AccessDenied, "Access denied!")
   end
   
   it "should have a current_ability method which generates an ability for the current user" do

spec/cancan/controller_resource_spec.rb

@@ -40,4 +40,10 @@ describe CanCan::ControllerResource do
     CanCan::ControllerResource.new(@controller, :ability).find(123)
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
+  
+  it "should use the model class option if provided" do
+    stub(Person).find(123) { :some_resource }
+    CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
 end

spec/cancan/resource_authorization_spec.rb

@@ -96,4 +96,20 @@ describe CanCan::ResourceAuthorization do
     authorization.load_resource
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
+  
+  it "should not load nested resource and build through this if *_id param isn't specified" do
+    stub(Person).find(456) { :some_person }
+    stub(Ability).new(nil) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456}, {:nested => [:person, :behavior]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@person).should == :some_person
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  
+  it "should load the model using a custom class" do
+    stub(Person).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
 end