Skip to content
This repository has been archived by the owner on Nov 19, 2019. It is now read-only.

Commit

Permalink
authorize_action_for only passes non-blank options
Browse files Browse the repository at this point in the history
  • Loading branch information
Nathan Long committed Oct 2, 2012
1 parent b37c2b9 commit ac3482a
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 10 deletions.
11 changes: 7 additions & 4 deletions lib/authority.rb
View file
Expand Up @@ -30,10 +30,13 @@ def self.adjectives
# @raise [SecurityViolation] if user is not allowed to perform action on resource
# @return [Model] resource instance
def self.enforce(action, resource, user, *options)
action_authorized = user.send("can_#{action}?", resource, Hash[*options])
unless action_authorized
raise SecurityViolation.new(user, action, resource)
end
action_authorized = if options.empty?
user.send("can_#{action}?", resource)
else
user.send("can_#{action}?", resource, Hash[*options])
end
raise SecurityViolation.new(user, action, resource) unless action_authorized

resource
end

Expand Down
2 changes: 1 addition & 1 deletion spec/authority/controller_spec.rb
View file
Expand Up @@ -95,7 +95,7 @@
@controller.send(:run_authorization_check)
end

it "should pass the options provided to `authorize_actions_for` downstream" do
it "should pass the options provided to `authorize_action_for` downstream" do
@controller.stub!(:action_name).and_return(:destroy)
Authority.should_receive(:enforce).with('delete', ExampleModel, @user, :for => 'context')
@controller.send(:authorize_action_for, ExampleModel, :for => 'context')
Expand Down
20 changes: 15 additions & 5 deletions spec/authority_spec.rb
View file
Expand Up @@ -44,13 +44,23 @@
@user = User.new
end

it "should pass options given through to the user auth ability" do
options = { :for => 'context' }
describe "if given options" do

# Stub with explicit args serves an expectation role here; also avoids adding deletable_by?
@user.stub!(:can_delete?).with(ExampleModel, options).and_return(true)
it "should check the user's authorization, passing along the options" do
options = { :for => 'context' }
@user.should_receive(:can_delete?).with(ExampleModel, options).and_return(true)
Authority.enforce(:delete, ExampleModel, @user, options)
end

end

describe "if not given options" do

it "should check the user's authorization, passing no options" do
@user.should_receive(:can_delete?).with(ExampleModel).and_return(true)
Authority.enforce(:delete, ExampleModel, @user)
end

Authority.enforce(:delete, ExampleModel, @user, options)
end

it "should raise a SecurityViolation if the action is unauthorized" do
Expand Down

2 comments on commit ac3482a

@nathanl
Copy link
Owner

@nathanl nathanl commented on ac3482a Oct 2, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops, incorrect commit message! Should have said enforce, not authorize_action_for. Well, you can't change history on a public repo, as my dad always told me.

@nathanl
Copy link
Owner

@nathanl nathanl commented on ac3482a Oct 2, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Son", he said, taking me onto his knee when I was just a little shaver, "you can't change history on a public repo."

"What are you talking about, Dad?" I said. "What's a repo?"

"You just can't, boy!" he said. "Always remember that. Someday they'll invent a thing called Git, and there will be a hub for it. Don't go changing the Githubs and confusing people's histories."

I thought he was crazy, but then, I had a lot of growing up to do.

Please sign in to comment.