Finish auth! method and implement in the subscriptions controller.

concerto · Jul 7, 2012 · 4d8cb2f · 4d8cb2f
1 parent 867f481
commit 4d8cb2f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -32,7 +32,10 @@ def check_for_initial_install
     redirect_to root_url, :flash => { :notice => exception.message }
   end
 
-  def auth
+  def auth!(options = {})
+    # action
+    # object
+    # allow_empty
     action_map = {
       'index' => :read,
       'show' => :read,
@@ -43,14 +46,16 @@ def auth
       'destroy' => :destroy,
     }
 
+    test_action = (options[:action] || action_map[action_name])
+    allow_empty = (options[:allow_empty] || true)
+
     var_name = controller_name
     if action_name != 'index'
       var_name = controller_name.singularize
     end
-    object = instance_variable_get("@#{var_name}")
+    object = (options[:object] || instance_variable_get("@#{var_name}"))
 
-    test_action = action_map[action_name]
-    if object.is_a? Enumerable
+    if allow_empty && (object.is_a? Enumerable)
       object.delete_if {|o| cannot?(test_action, o)}
     else
       if cannot?(test_action, object)

diff --git a/app/controllers/subscriptions_controller.rb b/app/controllers/subscriptions_controller.rb
@@ -1,5 +1,4 @@
 class SubscriptionsController < ApplicationController
-  load_and_authorize_resource :except => [:new]
   before_filter :get_screen
 
   def get_screen
@@ -10,6 +9,7 @@ def get_screen
   # GET /screen/:screen_id/subscriptions.xml
   def index
     @subscriptions = @screen.subscriptions.all
+    auth!
 
     respond_to do |format|
       format.html # index.html.erb
@@ -31,6 +31,7 @@ def manage
   # GET /screen/:screen_id/subscriptions/1.xml
   def show
     @subscription = Subscription.find(params[:id])
+    auth!
 
     respond_to do |format|
       format.html # show.html.erb
@@ -44,7 +45,7 @@ def new
     @subscription = Subscription.new
     @subscription.screen = @screen
     @subscription.field = @field
-    auth
+    auth!
     respond_to do |format|
       format.html # new.html.erb
       format.xml  { render :xml => @subscription }
@@ -54,6 +55,7 @@ def new
   # GET /screen/:screen_id/subscriptions/1/edit
   def edit
     @subscription = Subscription.find(params[:id])
+    auth!
   end
 
   # POST /screen/:screen_id/subscriptions
@@ -62,6 +64,7 @@ def create
     @subscription = Subscription.new(params[:subscription])
     @subscription.screen = @screen
     @subscription.field = @field
+    auth!
 
     respond_to do |format|
       if @subscription.save
@@ -78,6 +81,7 @@ def create
   # PUT /screen/:screen_id/subscriptions/1.xml
   def update
     @subscription = Subscription.find(params[:id])
+    auth!
 
     respond_to do |format|
       if @subscription.update_attributes(params[:subscription])
@@ -94,6 +98,7 @@ def update
   # DELETE /screen/:screen_id/subscriptions/1.xml
   def destroy
     @subscription = Subscription.find(params[:id])
+    auth!
     @subscription.destroy
 
     respond_to do |format|

diff --git a/test/unit/abilities/user/subscription_test.rb b/test/unit/abilities/user/subscription_test.rb
@@ -12,10 +12,10 @@ def setup
 
   test "Screen user owner all access" do
     ability = Ability.new(@katie)
-    assert ability.can?(:create, Subscription)
+    @subscription.screen = @kt_screen
+    assert ability.can?(:create, @subscription)
 
     abilities = [:update, :delete, :read]
-    @subscription.screen = @kt_screen
     abilities.each do |action|
       assert ability.can?(action, @subscription)
     end
@@ -28,10 +28,10 @@ def setup
 
   test "Screen group owner all access" do
     ability = Ability.new(@katie)
+    @subscription.screen = @wtg_screen
     assert ability.can?(:create, @subscription)
 
     abilities = [:update, :delete, :read]
-    @subscription.screen = @wtg_screen
     abilities.each do |action|
       assert ability.can?(action, @subscription)
     end