Permalink
Browse files

should not allow to can? when raw sql without block is present

  • Loading branch information...
1 parent 1f81b8d commit 12037d7f43c081c5de238942dc1bac5ecf12b4c7 @funny-falcon funny-falcon committed with Sep 24, 2010
View
@@ -54,7 +54,7 @@ module Ability
#
# Also see the RSpec Matchers to aid in testing.
def can?(action, subject, *extra_args)
- match = relevant_can_definitions(action, subject).detect do |can_definition|
+ match = relevant_can_definitions_for_match(action, subject).detect do |can_definition|
can_definition.matches_conditions?(action, subject, extra_args)
end
match ? match.base_behavior : false
@@ -224,6 +224,10 @@ def attributes_for(action, subject)
def has_block?(action, subject)
relevant_can_definitions(action, subject).any?(&:only_block?)
end
+
+ def has_raw_sql?(action, subject)
+ relevant_can_definitions(action, subject).any?(&:only_raw_sql?)
+ end
private
@@ -267,6 +271,14 @@ def relevant_can_definitions(action, subject)
can_definition.relevant? action, subject
end
end
+
+ def relevant_can_definitions_for_match(action, subject)
+ relevant_can_definitions(action, subject).each do |can_definition|
+ if can_definition.only_raw_sql?
+ raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+ end
+ end
+ end
def relevant_can_definitions_for_query(action, subject)
relevant_can_definitions(action, subject).each do |can_definition|
@@ -55,6 +55,10 @@ def tableized_conditions(conditions = @conditions)
def only_block?
conditions_empty? && !@block.nil?
end
+
+ def only_raw_sql?
+ @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+ end
def conditions_empty?
@conditions == {} || @conditions.nil?
@@ -317,6 +317,13 @@ class A; include B; end
end
@ability.should have_block(:read, :foo)
end
+
+ it "should know when raw sql is used in conditions" do
+ @ability.can :read, :foo
+ @ability.should_not have_raw_sql(:read, :foo)
+ @ability.can :read, :foo, 'false'
+ @ability.should have_raw_sql(:read, :foo)
+ end
it "should raise access denied exception with default message if not specified" do
begin
@@ -56,4 +56,18 @@
stub(@model_class).scoped{|*args| args.inspect}
@model_class.accessible_by(@ability).should == :found_records
end
+
+ it "should not allow to fetch records when ability with just block present" do
+ @ability.can :read, @model_class do false end
+ lambda {
+ @model_class.accessible_by(@ability)
+ }.should raise_error(CanCan::Error)
+ end
+
+ it "should not allow to check ability on object when nonhash sql ability definition without block present" do
+ @ability.can :read, @model_class, ['bar = ?', 1]
+ lambda {
+ @ability.can? :read, @model_class.new
+ }.should raise_error(CanCan::Error)
+ end
end

0 comments on commit 12037d7

Please sign in to comment.