Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

should not allow to can? when raw sql without block is present

  • Loading branch information...
commit 12037d7f43c081c5de238942dc1bac5ecf12b4c7 1 parent 1f81b8d
@funny-falcon funny-falcon authored committed
View
14 lib/cancan/ability.rb
@@ -54,7 +54,7 @@ module Ability
#
# Also see the RSpec Matchers to aid in testing.
def can?(action, subject, *extra_args)
- match = relevant_can_definitions(action, subject).detect do |can_definition|
+ match = relevant_can_definitions_for_match(action, subject).detect do |can_definition|
can_definition.matches_conditions?(action, subject, extra_args)
end
match ? match.base_behavior : false
@@ -224,6 +224,10 @@ def attributes_for(action, subject)
def has_block?(action, subject)
relevant_can_definitions(action, subject).any?(&:only_block?)
end
+
+ def has_raw_sql?(action, subject)
+ relevant_can_definitions(action, subject).any?(&:only_raw_sql?)
+ end
private
@@ -267,6 +271,14 @@ def relevant_can_definitions(action, subject)
can_definition.relevant? action, subject
end
end
+
+ def relevant_can_definitions_for_match(action, subject)
+ relevant_can_definitions(action, subject).each do |can_definition|
+ if can_definition.only_raw_sql?
+ raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+ end
+ end
+ end
def relevant_can_definitions_for_query(action, subject)
relevant_can_definitions(action, subject).each do |can_definition|
View
4 lib/cancan/can_definition.rb
@@ -55,6 +55,10 @@ def tableized_conditions(conditions = @conditions)
def only_block?
conditions_empty? && !@block.nil?
end
+
+ def only_raw_sql?
+ @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+ end
def conditions_empty?
@conditions == {} || @conditions.nil?
View
7 spec/cancan/ability_spec.rb
@@ -317,6 +317,13 @@ class A; include B; end
end
@ability.should have_block(:read, :foo)
end
+
+ it "should know when raw sql is used in conditions" do
+ @ability.can :read, :foo
+ @ability.should_not have_raw_sql(:read, :foo)
+ @ability.can :read, :foo, 'false'
+ @ability.should have_raw_sql(:read, :foo)
+ end
it "should raise access denied exception with default message if not specified" do
begin
View
14 spec/cancan/active_record_additions_spec.rb
@@ -56,4 +56,18 @@
stub(@model_class).scoped{|*args| args.inspect}
@model_class.accessible_by(@ability).should == :found_records
end
+
+ it "should not allow to fetch records when ability with just block present" do
+ @ability.can :read, @model_class do false end
+ lambda {
+ @model_class.accessible_by(@ability)
+ }.should raise_error(CanCan::Error)
+ end
+
+ it "should not allow to check ability on object when nonhash sql ability definition without block present" do
+ @ability.can :read, @model_class, ['bar = ?', 1]
+ lambda {
+ @ability.can? :read, @model_class.new
+ }.should raise_error(CanCan::Error)
+ end
end
Please sign in to comment.
Something went wrong with that request. Please try again.