Skip to content
Browse files

Fixes inherited_resources collection authorization

This reverts e3eab13

I don't know what was the idea of that, but it turned out REAL bad.

`collection` sets the collection instance variable. `resource_base` is used all
over CanCan. It's also used inside `load_collection?` which is checked before
`load_collection` is called. That means we actually set the collection instance
variable through inherited_resources (without any authorization whatsoever) before trying to load it through CanCan using `accessible_by`.

    1. def load_resource
    2.  unless skip?(:load)
    3.    if load_instance?
    4.      self.resource_instance ||= load_resource_instance
    5.    elsif load_collection?
    6.      self.collection_instance ||= load_collection
    7.    end
    8.  end
    9. end

`collection_instance` is set on line 5 instead of line 6.
  • Loading branch information...
1 parent efa3ff1 commit 3639ca90ebe8d676a7daaae120352ca340686bf6 @amw amw committed Mar 16, 2011
Showing with 3 additions and 3 deletions.
  1. +1 −1 lib/cancan/inherited_resource.rb
  2. +2 −2 spec/cancan/inherited_resource_spec.rb
View
2 lib/cancan/inherited_resource.rb
@@ -13,7 +13,7 @@ def load_resource_instance
end
def resource_base
- @controller.send :collection
+ @controller.send :end_of_association_chain
end
end
end
View
4 spec/cancan/inherited_resource_spec.rb
@@ -32,10 +32,10 @@
@controller.instance_variable_get(:@project).should == :project_resource
end
- it "index should load through @controller.collection" do
+ it "index should load through @controller.end_of_association_chain" do
@params[:action] = "index"
stub(Project).accessible_by(@ability, :index) { :projects }
- stub(@controller).collection { Project }
+ stub(@controller).end_of_association_chain { Project }
CanCan::InheritedResource.new(@controller).load_resource
@controller.instance_variable_get(:@projects).should == :projects
end

0 comments on commit 3639ca9

Please sign in to comment.
Something went wrong with that request. Please try again.