1f7e4c8b6b
Given two models Category and Projects. A Category has_many
projects and Project belongs_to a category. Furthermore,
projects are shallow nested resources in a category.
Let's say that a user can edit certain category's projects
(and only one category can be edited by each user [1]), this is
expressed with the following line in Ability model:
can :new, :projects, category_id: user.category_id
Given the old implementation, we get that any user can 'new'
(though not 'create') a project in any category:
```ruby
def assign_attributes(resource)
resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
initial_attributes.each do |attr_name, value|
resource.send("#{attr_name}=", value)
end
resource
end
```
In this case, category_id in project would get overwritten
inside the initial_attributes loop and authorization would pass.
I consider this a buggy behaviour.
[1] User belongs_to a category, and a Category has many
users. On the other hand, there might be users without
any category.
Conflicts:
spec/cancan/controller_resource_spec.rb
|
||
|---|---|---|
| .. | ||
| cancan | ||
| matchers.rb | ||
| README.rdoc | ||
| spec_helper.rb | ||
= CanCan Specs == Running the specs To run the specs first run the +bundle+ command to install the necessary gems and the +rake+ command to run the specs. bundle rake The specs currently require Ruby 1.8.7. Ruby 1.9.2 support will be coming soon. == Model Adapters CanCan offers separate specs for different model adapters (such as Mongoid and Data Mapper). By default it will use Active Record but you can change this by setting the +MODEL_ADAPTER+ environment variable before running. You can run the +bundle+ command with this as well to ensure you have the installed gems. MODEL_ADAPTER=data_mapper bundle MODEL_ADAPTER=data_mapper rake The different model adapters you can specify are: * active_record (default) * data_mapper * mongoid You can also run the +spec_all+ rake task to run specs for each adapter. rake spec_all