@@ -12,6 +12,21 @@ module Authorization DEFAULT_DENY = false + # If attribute_check is set for filter_access_to, decl_auth will try to + # load the appropriate object from the current controller's model with + # the id from params[:id]. If that fails, a 404 Not Found is often the + # right way to handle the error. If you have additional measures in place + # that restricts the find scope, handling this error as a permission denied + # might be a better way. Set failed_auto_loading_is_not_found to false + # for the latter behaviour. + @@failed_auto_loading_is_not_found = true + def self.failed_auto_loading_is_not_found? + @@failed_auto_loading_is_not_found + end + def self.failed_auto_loading_is_not_found= (new_value) + @@failed_auto_loading_is_not_found = new_value + end + # Returns the Authorization::Engine for the current controller. def authorization_engine @authorization_engine ||= Authorization::Engine.instance @@ -548,19 +563,12 @@ module Authorization context = @context || contr.class.controller_name.to_sym object = @attribute_check ? load_object(contr, context) : nil privilege = @privilege || :"#{contr.action_name}" - - #puts "Trying permit?(#{privilege.inspect}, " - #puts " :user => #{contr.send(:current_user).inspect}, " - #puts " :object => #{object.inspect}," - #puts " :skip_attribute_test => #{!@attribute_check}," - #puts " :context => #{contr.class.controller_name.pluralize.to_sym})" - res = contr.authorization_engine.permit!(privilege, + + contr.authorization_engine.permit!(privilege, :user => contr.send(:current_user), :object => object, :skip_attribute_test => !@attribute_check, :context => context) - #puts "permit? result: #{res.inspect}" - res end def remove_actions (actions) @@ -581,12 +589,12 @@ module Authorization unless object begin object = load_object_model.find(contr.params[:id]) - rescue ActiveRecord::RecordNotFound, RuntimeError + rescue RuntimeError => e contr.logger.debug("filter_access_to tried to find " + - "#{load_object_model.inspect} from params[:id] " + + "#{load_object_model} from params[:id] " + "(#{contr.params[:id].inspect}), because attribute_check is enabled " + - "and #{instance_var.to_s} isn't set.") - raise + "and #{instance_var.to_s} isn't set, but failed: #{e.class.name}: #{e}") + raise if AuthorizationInController.failed_auto_loading_is_not_found? end contr.instance_variable_set(instance_var, object) end lib/declarative_authorization/in_controller.rb @@ -254,6 +254,13 @@ class LoadObjectControllerTest < ActionController::TestCase assert_raise RuntimeError, "No id param supplied" do request!(MockUser.new(:test_role), "show", reader) end + + Authorization::AuthorizationInController.failed_auto_loading_is_not_found = false + assert_nothing_raised "Load error is only logged" do + request!(MockUser.new(:test_role), "show", reader) + end + assert !@controller.authorized? + Authorization::AuthorizationInController.failed_auto_loading_is_not_found = true end def test_filter_access_with_object_load_custom test/controller_test.rb f40acbdc1a24df3031fdac2cfcad552d9143266a Steffen Bartsch sbartsch@tzi.org http://github.com/stffn/declarative_authorization/commit/3ca12e34a8eadc1d775cfc7ecc76b40853052829 3ca12e34a8eadc1d775cfc7ecc76b40853052829 2009-11-06T01:55:21-08:00 2009-11-06T01:17:50-08:00 Added option on handling non-existant auto-loaded object 54a4f2b686ce5991e75994d3775056dabb0263cd Steffen Bartsch sbartsch@tzi.org