Skip to content
Browse files

`authorize_action_for` only passes non-blank options

  • Loading branch information...
1 parent b37c2b9 commit ac3482ab80e5f9d1806409df9ebf9880196d487b Nathan Long committed Oct 2, 2012
Showing with 23 additions and 10 deletions.
  1. +7 −4 lib/authority.rb
  2. +1 −1 spec/authority/controller_spec.rb
  3. +15 −5 spec/authority_spec.rb
View
11 lib/authority.rb
@@ -30,10 +30,13 @@ def self.adjectives
# @raise [SecurityViolation] if user is not allowed to perform action on resource
# @return [Model] resource instance
def self.enforce(action, resource, user, *options)
- action_authorized = user.send("can_#{action}?", resource, Hash[*options])
- unless action_authorized
- raise SecurityViolation.new(user, action, resource)
- end
+ action_authorized = if options.empty?
+ user.send("can_#{action}?", resource)
+ else
+ user.send("can_#{action}?", resource, Hash[*options])
+ end
+ raise SecurityViolation.new(user, action, resource) unless action_authorized
+
resource
end
View
2 spec/authority/controller_spec.rb
@@ -95,7 +95,7 @@
@controller.send(:run_authorization_check)
end
- it "should pass the options provided to `authorize_actions_for` downstream" do
+ it "should pass the options provided to `authorize_action_for` downstream" do
@controller.stub!(:action_name).and_return(:destroy)
Authority.should_receive(:enforce).with('delete', ExampleModel, @user, :for => 'context')
@controller.send(:authorize_action_for, ExampleModel, :for => 'context')
View
20 spec/authority_spec.rb
@@ -44,13 +44,23 @@
@user = User.new
end
- it "should pass options given through to the user auth ability" do
- options = { :for => 'context' }
+ describe "if given options" do
- # Stub with explicit args serves an expectation role here; also avoids adding deletable_by?
- @user.stub!(:can_delete?).with(ExampleModel, options).and_return(true)
+ it "should check the user's authorization, passing along the options" do
+ options = { :for => 'context' }
+ @user.should_receive(:can_delete?).with(ExampleModel, options).and_return(true)
+ Authority.enforce(:delete, ExampleModel, @user, options)
+ end
+
+ end
+
+ describe "if not given options" do
+
+ it "should check the user's authorization, passing no options" do
+ @user.should_receive(:can_delete?).with(ExampleModel).and_return(true)
+ Authority.enforce(:delete, ExampleModel, @user)
+ end
- Authority.enforce(:delete, ExampleModel, @user, options)
end
it "should raise a SecurityViolation if the action is unauthorized" do

2 comments on commit ac3482a

@nathanl
Owner
nathanl commented on ac3482a Oct 2, 2012

Whoops, incorrect commit message! Should have said enforce, not authorize_action_for. Well, you can't change history on a public repo, as my dad always told me.

@nathanl
Owner
nathanl commented on ac3482a Oct 2, 2012

"Son", he said, taking me onto his knee when I was just a little shaver, "you can't change history on a public repo."

"What are you talking about, Dad?" I said. "What's a repo?"

"You just can't, boy!" he said. "Always remember that. Someday they'll invent a thing called Git, and there will be a hub for it. Don't go changing the Githubs and confusing people's histories."

I thought he was crazy, but then, I had a lot of growing up to do.

Please sign in to comment.
Something went wrong with that request. Please try again.