Skip to content
Browse files

Solves problem when authorizing new action.

Given two models Category and Projects. A Category has_many
projects and Project belongs_to a category. Furthermore,
projects are shallow nested resources in a category.

Let's say that a user can edit certain category's projects
(and only one category can be edited by each user [1]), this is
expressed with the following line in Ability model:

can :new, :projects, category_id: user.category_id

Given the old implementation, we get that any user can 'new'
(though not 'create') a project in any category:

```ruby
def assign_attributes(resource)
  resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
  initial_attributes.each do |attr_name, value|
    resource.send("#{attr_name}=", value)
  end
  resource
end
```

In this case, category_id in project would get overwritten
inside the initial_attributes loop and authorization would pass.
I consider this a buggy behaviour.

[1] User belongs_to a category, and a Category has many
users. On the other hand, there might be users without
any category.

Conflicts:
	spec/cancan/controller_resource_spec.rb
  • Loading branch information...
1 parent f1cebde commit 1f7e4c8b6be22e81b281625d1a014b6d83735211 @Serabe Serabe committed
Showing with 19 additions and 2 deletions.
  1. +2 −1 lib/cancan/controller_resource.rb
  2. +17 −1 spec/cancan/controller_resource_spec.rb
View
3 lib/cancan/controller_resource.rb
@@ -85,10 +85,11 @@ def build_resource
end
def assign_attributes(resource)
- resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
initial_attributes.each do |attr_name, value|
resource.send("#{attr_name}=", value)
end
+
+ resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
resource
end
View
18 spec/cancan/controller_resource_spec.rb
@@ -284,10 +284,26 @@ class CustomModel
CanCan::ControllerResource.new(@controller, :category, :load => true).process
CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category).process
project = @controller.instance_variable_get(:@project)
- project.new_record?.should eq(true)
+ project.should be_new_record
project.name.should eq('foo')
end
+ it "does not overrides an attribute if it is based on parent resource" do
+ user = double('user')
+ user.should_receive(:category_id).and_return nil
+ @ability = Ability.new user
+ @ability.can :new, :projects, :category_id => user.category_id
+ category = Category.create!
+ @controller.instance_variable_set(:@category, category)
+
+ @params.merge! :action => 'new', :category_id => category.id
+ CanCan::ControllerResource.new(@controller, :category, :load => true).process
+ CanCan::ControllerResource.new(@controller, :project, :load => true, :through => :category, :singleton => true).process
+ project = @controller.instance_variable_get(:@project)
+ project.category_id.should_not be_nil
+ project.category.should eq(category)
+ end
+
it "authorizes nested resource through parent association on index action" do
pending
@params.merge!(:action => "index")

0 comments on commit 1f7e4c8

Please sign in to comment.
Something went wrong with that request. Please try again.