Skip to content
This repository
Browse code

only use the :read action when authorizing parent resources

  • Loading branch information...
commit 156839b73e26d49a2a085a0ddb989092b7b3d6e8 1 parent 25a1c55
Ryan Bates authored
2  CHANGELOG.rdoc
Source Rendered
... ... @@ -1,3 +1,5 @@
  1 +* Parent resources are now authorized with :read action.
  2 +
1 3 * Changing :resource option in load/authorize_resource back to :class with ability to pass false
2 4
3 5 * Removing :nested option in favor of :through option with separate load/authorize call
8 lib/cancan/controller_resource.rb
@@ -30,7 +30,7 @@ def load_resource
30 30 end
31 31
32 32 def authorize_resource
33   - @controller.authorize!(@params[:action].to_sym, resource_instance || resource_class)
  33 + @controller.authorize!(authorization_action, resource_instance || resource_class)
34 34 end
35 35
36 36 def parent?
@@ -41,14 +41,14 @@ def parent?
41 41
42 42 def load_resource_instance
43 43 if !parent? && new_actions.include?(@params[:action].to_sym)
44   - resource_base.kind_of?(Class) ? resource_base.new(attributes) : resource_base.build(attributes)
  44 + resource_base.kind_of?(Class) ? resource_base.new(@params[name.to_sym]) : resource_base.build(@params[name.to_sym])
45 45 elsif id_param
46 46 resource_base.find(id_param)
47 47 end
48 48 end
49 49
50   - def attributes
51   - @params[name.to_sym]
  50 + def authorization_action
  51 + parent? ? :read : @params[:action].to_sym
52 52 end
53 53
54 54 def id_param
8 spec/cancan/controller_resource_spec.rb
@@ -137,6 +137,13 @@
137 137 @controller.instance_variable_get(:@ability).should == :some_ability
138 138 end
139 139
  140 + it "should only authorize :read action on parent resource" do
  141 + stub(Person).find(123) { :some_person }
  142 + stub(@controller).authorize!(:read, :some_person) { raise CanCan::AccessDenied }
  143 + resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "new", :person_id => 123}, :person)
  144 + lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied)
  145 + end
  146 +
140 147 it "should load the model using a custom class" do
141 148 stub(Person).find(123) { :some_resource }
142 149 resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
@@ -148,7 +155,6 @@
148 155 stub(@controller).authorize!(:show, :ability) { raise CanCan::AccessDenied }
149 156 resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => false})
150 157 lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
151   -
152 158 end
153 159
154 160 it "should raise ImplementationRemoved when adding :name option" do

0 comments on commit 156839b

Please sign in to comment.
Something went wrong with that request. Please try again.