Authority does its best to use semantic versioning.
Bugfix for Rails 3.1 - apparently its class_attribute
method stepped on instance methods even when given :instance_reader => false
Bugfix - make authority_resource
inheritable. For instance, if you call authorize_actions_for Llama
in one controller, a child controller does the same unless told otherwise.
The controller method name given to authorize_actions_for
no longer has to be public. (We don't want to force controllers to make any method public that shouldn't be a routable action.)
Controller method authorize_actions_for
can now be given a method name to dynamically determine the class to authorize. For example, authorize_actions_for :model_class
will call the model_class
method on the controller instance at request time.
- Updated
can?
to only pass options if it was given options.
- Had second thought and reworked
can?(:action)
to callApplication_authorizer.authorizes_to_#{action}?
. Ensured it's backwards compatible for the few people who started using this in the last day or so.
- Added generic
current_user.can?(:mimic_lemurs)
for cases where there is no resource to work with. This calls a corresponding class method onApplicationAuthorizer
, likeApplicationAuthorizer.can_mimic_lemurs?
. - Renamed
authority_action
toauthority_actions
(plural) to reflect the fact that you can set multiple actions at once. Use of the old method will raise a deprecation warning. - Lots of test cleanup so that test output is clearer - run rspec with
--format doc --order default
to see it.
Allow passing options hash to authorize_action_for
, like authorize_action_for(@llama, :sporting => @hat_style)
.
Allow passing options hash, like current_user.can_create?(Comment, :for => @post)
.
Documentation and test cleanup.
- Breaking change: models now assume their authorizer is
ApplicationAuthorizer
unless told otherwise. Generator creates a blankApplicationAuthorizer
. This, combined with the change in v1.1.0, makes thedefault_strategy
proc obsolete in favor of straightforward inheritance of adefault
method, so support forconfig.default_strategy
is removed. - Added accessors to
Authority::SecurityViolation
for user, action and resource, for use in custom security violation handlers.
- Added
Authority::Authorizer.default
class method which is called before thedefault_strategy
proc and delegates to that proc. This can be overridden per authorizer.
- Added
config.security_violation_handler
so users can specify which controller method to use when rescuingSecurityViolation
s - Removed generator to make blank authorizers. On further consideration, one authorizer per model is counterproductive for most use cases, and I'd rather not encourage misuse.
Added generator to make blank authorizers. See rails g authority:authorizers --help
.
- Rename controller methods (again):
authorize_actions_on
=>authorize_actions_for
authorize_action_on
=>authorize_action_for
- Cleaned up
authorize_action_for
to only accept aresource
argument (the current user is determined byauthority_user
)
Rename controller methods:
check_authorization_on
=>authorize_actions_on
check_authorization_for
=>authorize_action_on
- Renamed
config.authority_actions
toconfig.controller_action_map
.
Initial release (basically)