Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 214 lines (203 sloc) 7.711 kb
44b36ce @ryanb adding controller additions with basic behavior.
authored
1 module CanCan
dfd84a1 @ryanb improving inline documentation
authored
2
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
3 # This module is automatically included into all controllers.
4 # It also makes the "can?" and "cannot?" methods available to all views.
44b36ce @ryanb adding controller additions with basic behavior.
authored
5 module ControllerAdditions
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
6 module ClassMethods
ffa677b @ryanb Don't set resource instance variable if it has been set already - clo…
authored
7 # Sets up a before filter which loads and authorizes the current resource. This performs both
8 # load_resource and authorize_resource and accepts the same arguments. See those methods for details.
dfd84a1 @ryanb improving inline documentation
authored
9 #
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
10 # class BooksController < ApplicationController
11 # load_and_authorize_resource
12 # end
dfd84a1 @ryanb improving inline documentation
authored
13 #
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
14 def load_and_authorize_resource(options = {})
23a5888 @ryanb renaming :class option to :resource for load_and_authorize_resource w…
authored
15 ResourceAuthorization.add_before_filter(self, :load_and_authorize_resource, options)
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
16 end
dfd84a1 @ryanb improving inline documentation
authored
17
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
18 # Sets up a before filter which loads the appropriate model resource into an instance variable.
19 # For example, given an ArticlesController it will load the current article into the @article
20 # instance variable. It does this by either calling Article.find(params[:id]) or
21 # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
22 # action.
dfd84a1 @ryanb improving inline documentation
authored
23 #
ffa677b @ryanb Don't set resource instance variable if it has been set already - clo…
authored
24 # Call this method directly on the controller class.
dfd84a1 @ryanb improving inline documentation
authored
25 #
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
26 # class BooksController < ApplicationController
27 # load_resource
28 # end
dfd84a1 @ryanb improving inline documentation
authored
29 #
ffa677b @ryanb Don't set resource instance variable if it has been set already - clo…
authored
30 # A resource is not loaded if the instance variable is already set. This makes it easy to override
31 # the behavior through a before_filter on certain actions.
dfd84a1 @ryanb improving inline documentation
authored
32 #
ffa677b @ryanb Don't set resource instance variable if it has been set already - clo…
authored
33 # class BooksController < ApplicationController
34 # before_filter :find_book_by_permalink, :only => :show
35 # load_resource
36 #
37 # private
38 #
39 # def find_book_by_permalink
40 # @book = Book.find_by_permalink!(params[:id)
41 # end
42 # end
dfd84a1 @ryanb improving inline documentation
authored
43 #
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
44 # See load_and_authorize_resource to automatically authorize the resource too.
dfd84a1 @ryanb improving inline documentation
authored
45 #
63634b4 @ryanb Adding :collection and :new options to load_resource method so we can…
authored
46 # Options:
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
47 # [:+only+]
48 # Only applies before filter to given actions.
dfd84a1 @ryanb improving inline documentation
authored
49 #
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
50 # [:+except+]
51 # Does not apply before filter to given actions.
dfd84a1 @ryanb improving inline documentation
authored
52 #
cd217eb @ryanb adding :nested option for load_resource - closes #10
authored
53 # [:+nested+]
54 # Specify which resource this is nested under.
dfd84a1 @ryanb improving inline documentation
authored
55 #
cd217eb @ryanb adding :nested option for load_resource - closes #10
authored
56 # load_resource :nested => :author
dfd84a1 @ryanb improving inline documentation
authored
57 #
a75aee7 @ryanb Allowing :nested option to accept an array for deep nesting
authored
58 # Deep nesting can be defined in an array.
dfd84a1 @ryanb improving inline documentation
authored
59 #
a75aee7 @ryanb Allowing :nested option to accept an array for deep nesting
authored
60 # load_resource :nested => [:publisher, :author]
dfd84a1 @ryanb improving inline documentation
authored
61 #
2a3dd85 @ryanb adding :name option to load_and_authorize_resource if it does not mat…
authored
62 # [:+name+]
63 # The name of the resource if it cannot be determined from controller (string or symbol).
64 #
65 # load_resource :name => :article
66 #
23a5888 @ryanb renaming :class option to :resource for load_and_authorize_resource w…
authored
67 # [:+resource+]
68 # The class to use for the model (string or constant).
dfd84a1 @ryanb improving inline documentation
authored
69 #
63634b4 @ryanb Adding :collection and :new options to load_resource method so we can…
authored
70 # [:+collection+]
71 # Specify which actions are resource collection actions in addition to :+index+. This
72 # is usually not necessary because it will try to guess depending on if an :+id+
73 # is present in +params+.
dfd84a1 @ryanb improving inline documentation
authored
74 #
63634b4 @ryanb Adding :collection and :new options to load_resource method so we can…
authored
75 # load_resource :collection => [:sort, :list]
dfd84a1 @ryanb improving inline documentation
authored
76 #
63634b4 @ryanb Adding :collection and :new options to load_resource method so we can…
authored
77 # [:+new+]
78 # Specify which actions are new resource actions in addition to :+new+ and :+create+.
79 # Pass an action name into here if you would like to build a new resource instead of
80 # fetch one.
dfd84a1 @ryanb improving inline documentation
authored
81 #
63634b4 @ryanb Adding :collection and :new options to load_resource method so we can…
authored
82 # load_resource :new => :build
dfd84a1 @ryanb improving inline documentation
authored
83 #
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
84 def load_resource(options = {})
23a5888 @ryanb renaming :class option to :resource for load_and_authorize_resource w…
authored
85 ResourceAuthorization.add_before_filter(self, :load_resource, options)
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
86 end
dfd84a1 @ryanb improving inline documentation
authored
87
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
88 # Sets up a before filter which authorizes the current resource using the instance variable.
89 # For example, if you have an ArticlesController it will check the @article instance variable
90 # and ensure the user can perform the current action on it. Under the hood it is doing
91 # something like the following.
dfd84a1 @ryanb improving inline documentation
authored
92 #
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
93 # authorize!(params[:action].to_sym, @article || Article)
dfd84a1 @ryanb improving inline documentation
authored
94 #
ffa677b @ryanb Don't set resource instance variable if it has been set already - clo…
authored
95 # Call this method directly on the controller class.
dfd84a1 @ryanb improving inline documentation
authored
96 #
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
97 # class BooksController < ApplicationController
98 # authorize_resource
99 # end
dfd84a1 @ryanb improving inline documentation
authored
100 #
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
101 # See load_and_authorize_resource to automatically load the resource too.
dfd84a1 @ryanb improving inline documentation
authored
102 #
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
103 # Options:
104 # [:+only+]
105 # Only applies before filter to given actions.
dfd84a1 @ryanb improving inline documentation
authored
106 #
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
107 # [:+except+]
108 # Does not apply before filter to given actions.
dfd84a1 @ryanb improving inline documentation
authored
109 #
2a3dd85 @ryanb adding :name option to load_and_authorize_resource if it does not mat…
authored
110 # [:+name+]
111 # The name of the resource if it cannot be determined from controller (string or symbol).
112 #
113 # load_resource :name => :article
114 #
23a5888 @ryanb renaming :class option to :resource for load_and_authorize_resource w…
authored
115 # [:+resource+]
116 # The class to use for the model (string or constant). Alternatively pass a symbol
117 # to represent a resource which does not have a class.
dfd84a1 @ryanb improving inline documentation
authored
118 #
94e031b @ryanb Pass :only and :except options to before filters for load/authorize r…
authored
119 def authorize_resource(options = {})
23a5888 @ryanb renaming :class option to :resource for load_and_authorize_resource w…
authored
120 ResourceAuthorization.add_before_filter(self, :authorize_resource, options)
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
121 end
122 end
dfd84a1 @ryanb improving inline documentation
authored
123
44b36ce @ryanb adding controller additions with basic behavior.
authored
124 def self.included(base)
a5f9882 @ryanb turning load and authorize resource methods into class methods which …
authored
125 base.extend ClassMethods
0f49b54 @ryanb adding 'cannot?' method which performs opposite check of 'can?' - clo…
authored
126 base.helper_method :can?, :cannot?
44b36ce @ryanb adding controller additions with basic behavior.
authored
127 end
dfd84a1 @ryanb improving inline documentation
authored
128
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
129 # Raises a CanCan::AccessDenied exception if the current_ability cannot
130 # perform the given action. This is usually called in a controller action or
131 # before filter to perform the authorization.
dfd84a1 @ryanb improving inline documentation
authored
132 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
133 # def show
134 # @article = Article.find(params[:id])
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
135 # authorize! :read, @article
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
136 # end
dfd84a1 @ryanb improving inline documentation
authored
137 #
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
138 # A :message option can be passed to specify a different message.
dfd84a1 @ryanb improving inline documentation
authored
139 #
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
140 # authorize! :read, @article, :message => "Not authorized to read #{@article.name}"
dfd84a1 @ryanb improving inline documentation
authored
141 #
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
142 # You can rescue from the exception in the controller to customize how unauthorized
143 # access is displayed to the user.
dfd84a1 @ryanb improving inline documentation
authored
144 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
145 # class ApplicationController < ActionController::Base
ef22de6 @ryanb adding custom message argument to unauthorized! method - closes #18
authored
146 # rescue_from CanCan::AccessDenied do |exception|
147 # flash[:error] = exception.message
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
148 # redirect_to root_url
149 # end
150 # end
dfd84a1 @ryanb improving inline documentation
authored
151 #
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
152 # See the CanCan::AccessDenied exception for more details on working with the exception.
dfd84a1 @ryanb improving inline documentation
authored
153 #
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
154 # See the load_and_authorize_resource method to automatically add the authorize! behavior
155 # to the default RESTful actions.
156 def authorize!(action, subject, *args)
157 message = nil
158 if args.last.kind_of?(Hash) && args.last.has_key?(:message)
159 message = args.pop[:message]
160 end
161 raise AccessDenied.new(message, action, subject) if cannot?(action, subject, *args)
162 end
dfd84a1 @ryanb improving inline documentation
authored
163
8903fee @ryanb removing unauthorized! in favor of authorize! and including more info…
authored
164 def unauthorized!(message = nil)
165 raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
44b36ce @ryanb adding controller additions with basic behavior.
authored
166 end
dfd84a1 @ryanb improving inline documentation
authored
167
ef5900c @ryanb adding caching to current_ability class method, if you're overriding …
authored
168 # Creates and returns the current user's ability and caches it. If you
169 # want to override how the Ability is defined then this is the place.
170 # Just define the method in the controller to change behavior.
dfd84a1 @ryanb improving inline documentation
authored
171 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
172 # def current_ability
ef5900c @ryanb adding caching to current_ability class method, if you're overriding …
authored
173 # # instead of Ability.new(current_user)
174 # @current_ability ||= UserAbility.new(current_account)
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
175 # end
dfd84a1 @ryanb improving inline documentation
authored
176 #
ef5900c @ryanb adding caching to current_ability class method, if you're overriding …
authored
177 # Notice it is important to cache the ability object so it is not
178 # recreated every time.
44b36ce @ryanb adding controller additions with basic behavior.
authored
179 def current_ability
ef5900c @ryanb adding caching to current_ability class method, if you're overriding …
authored
180 @current_ability ||= ::Ability.new(current_user)
baeef0b @ryanb adding conditions behavior to Ability#can and fetch with Ability#cond…
authored
181 end
dfd84a1 @ryanb improving inline documentation
authored
182
5bd1a85 @ryanb little fixes to inline documentation (rdocs)
authored
183 # Use in the controller or view to check the user's permission for a given action
184 # and object.
dfd84a1 @ryanb improving inline documentation
authored
185 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
186 # can? :destroy, @project
dfd84a1 @ryanb improving inline documentation
authored
187 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
188 # You can also pass the class instead of an instance (if you don't have one handy).
dfd84a1 @ryanb improving inline documentation
authored
189 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
190 # <% if can? :create, Project %>
191 # <%= link_to "New Project", new_project_path %>
192 # <% end %>
dfd84a1 @ryanb improving inline documentation
authored
193 #
5bd1a85 @ryanb little fixes to inline documentation (rdocs)
authored
194 # This simply calls "can?" on the current_ability. See Ability#can?.
44b36ce @ryanb adding controller additions with basic behavior.
authored
195 def can?(*args)
ef5900c @ryanb adding caching to current_ability class method, if you're overriding …
authored
196 current_ability.can?(*args)
44b36ce @ryanb adding controller additions with basic behavior.
authored
197 end
dfd84a1 @ryanb improving inline documentation
authored
198
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
199 # Convenience method which works the same as "can?" but returns the opposite value.
dfd84a1 @ryanb improving inline documentation
authored
200 #
b9227eb @ryanb adding a lot of inline documentation to code for rdocs
authored
201 # cannot? :destroy, @project
dfd84a1 @ryanb improving inline documentation
authored
202 #
0f49b54 @ryanb adding 'cannot?' method which performs opposite check of 'can?' - clo…
authored
203 def cannot?(*args)
ef5900c @ryanb adding caching to current_ability class method, if you're overriding …
authored
204 current_ability.cannot?(*args)
0f49b54 @ryanb adding 'cannot?' method which performs opposite check of 'can?' - clo…
authored
205 end
44b36ce @ryanb adding controller additions with basic behavior.
authored
206 end
207 end
208
aaed265 @ryanb turning into a funtioning Rails plugin
authored
209 if defined? ActionController
210 ActionController::Base.class_eval do
211 include CanCan::ControllerAdditions
212 end
1edf583 @ryanb BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' t…
authored
213 end
Something went wrong with that request. Please try again.