Permalink
Browse files

Merge remote branch 'upstream/master'

Conflicts:
	lib/cancan/ability.rb
	lib/cancan/active_record_additions.rb
	lib/cancan/can_definition.rb
	spec/cancan/ability_spec.rb
  • Loading branch information...
2 parents 7d7d249 + 1ade442 commit 46f03013f3f6d488ce96249b8a6b5e009dbed0d5 Yura Sokolov committed May 24, 2010
View
@@ -1,3 +1,11 @@
+* Load nested parent resources on collection actions such as "index" (thanks dohzya)
+
+* Adding :name option to load_and_authorize_resource if it does not match controller - see issue #65
+
+* Fixing issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66
+
+* Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62
+
* Support has_many association or arrays in can conditions hash
* Adding joins clause to accessible_by when conditions are across associations
View
@@ -1,8 +1,8 @@
module CanCan
-
+
# This module is designed to be included into an Ability class. This will
# provide the "can" methods for defining and checking abilities.
- #
+ #
# class Ability
# include CanCan::Ability
#
@@ -14,39 +14,40 @@ module CanCan
# end
# end
# end
- #
+ #
module Ability
- # Use to check the user's permission for a given action and object.
- #
+ # Use to check if the user has permission to perform a given action on an object.
+ #
# can? :destroy, @project
- #
+ #
# You can also pass the class instead of an instance (if you don't have one handy).
- #
+ #
# can? :create, Project
- #
+ #
# Any additional arguments will be passed into the "can" block definition. This
# can be used to pass more information about the user's request for example.
- #
+ #
# can? :create, Project, request.remote_ip
- #
+ #
# can :create Project do |project, remote_ip|
# # ...
# end
- #
- # Not only can you use the can? method in the controller and view (see ControllerAdditions),
+ #
+ # Not only can you use the can? method in the controller and view (see ControllerAdditions),
# but you can also call it directly on an ability instance.
- #
+ #
# ability.can? :destroy, @project
- #
+ #
# This makes testing a user's abilities very easy.
- #
+ #
# def test "user can only destroy projects which he owns"
# user = User.new
# ability = Ability.new(user)
# assert ability.can?(:destroy, Project.new(:user => user))
# assert ability.cannot?(:destroy, Project.new)
# end
- #
+ #
+ # Also see the RSpec Matchers to aid in testing.
def can?(action, subject, *extra_args)
raise Error, "Nom nom nom. I eated it." if action == :has && subject == :cheezburger
matching_can_definition(action, subject) do |can_definition|
@@ -56,133 +57,133 @@ def can?(action, subject, *extra_args)
end
false
end
-
+
# Convenience method which works the same as "can?" but returns the opposite value.
- #
+ #
# cannot? :destroy, @project
- #
+ #
def cannot?(*args)
!can?(*args)
end
-
+
# Defines which abilities are allowed using two arguments. The first one is the action
# you're setting the permission for, the second one is the class of object you're setting it on.
- #
+ #
# can :update, Article
- #
+ #
# You can pass an array for either of these parameters to match any one.
#
# can [:update, :destroy], [Article, Comment]
#
# In this case the user has the ability to update or destroy both articles and comments.
- #
+ #
# You can pass a hash of conditions as the third argument.
#
# can :read, Project, :active => true, :user_id => user.id
- #
- # Here the user can only see active projects which he owns. See ControllerAdditions#conditions for a way to
- # use this in database queries.
- #
+ #
+ # Here the user can only see active projects which he owns. See ActiveRecordAdditions#accessible_by
+ # for how to use this in database queries.
+ #
# If the conditions hash does not give you enough control over defining abilities, you can use a block to
# write any Ruby code you want.
#
# can :update, Project do |project|
# project && project.groups.include?(user.group)
# end
- #
+ #
# If the block returns true then the user has that :update ability for that project, otherwise he
# will be denied access. It's possible for the passed in model to be nil if one isn't specified,
# so be sure to take that into consideration.
- #
+ #
# The downside to using a block is that it cannot be used to generate conditions for database queries.
- #
+ #
# You can pass :all to reference every type of object. In this case the object type will be passed
# into the block as well (just in case object is nil).
- #
+ #
# can :read, :all do |object_class, object|
# object_class != Order
# end
- #
+ #
# Here the user has permission to read all objects except orders.
- #
- # You can also pass :manage as the action which will match any action. In this case the action is
+ #
+ # You can also pass :manage as the action which will match any action. In this case the action is
# passed to the block.
- #
+ #
# can :manage, Comment do |action, comment|
# action != :destroy
# end
- #
+ #
# You can pass custom objects into this "can" method, this is usually done through a symbol
# and is useful if a class isn't available to define permissions on.
- #
+ #
# can :read, :stats
# can? :read, :stats # => true
- #
+ #
def can(action, subject, conditions = nil, &block)
can_definitions << CanDefinition.new(true, action, subject, conditions, block)
end
-
- # Define an ability which cannot be done. Accepts the same arguments as "can".
- #
+
+ # Defines an ability which cannot be done. Accepts the same arguments as "can".
+ #
# can :read, :all
# cannot :read, Comment
- #
+ #
# A block can be passed just like "can", however if the logic is complex it is recommended
# to use the "can" method.
- #
+ #
# cannot :read, Product do |product|
# product.invisible?
# end
- #
+ #
def cannot(action, subject, conditions = nil, &block)
can_definitions << CanDefinition.new(false, action, subject, conditions, block)
end
-
+
# Alias one or more actions into another one.
- #
+ #
# alias_action :update, :destroy, :to => :modify
# can :modify, Comment
- #
+ #
# Then :modify permission will apply to both :update and :destroy requests.
- #
+ #
# can? :update, Comment # => true
# can? :destroy, Comment # => true
- #
+ #
# This only works in one direction. Passing the aliased action into the "can?" call
# will not work because aliases are meant to generate more generic actions.
- #
+ #
# alias_action :update, :destroy, :to => :modify
# can :update, Comment
# can? :modify, Comment # => false
- #
+ #
# Unless that exact alias is used.
- #
+ #
# can :modify, Comment
# can? :modify, Comment # => true
- #
+ #
# The following aliases are added by default for conveniently mapping common controller actions.
- #
+ #
# alias_action :index, :show, :to => :read
# alias_action :new, :to => :create
# alias_action :edit, :to => :update
- #
+ #
# This way one can use params[:action] in the controller to determine the permission.
def alias_action(*args)
target = args.pop[:to]
aliased_actions[target] ||= []
aliased_actions[target] += args
end
-
+
# Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
def aliased_actions
@aliased_actions ||= default_alias_actions
end
-
+
# Removes previously aliased actions including the defaults.
def clear_aliased_actions
@aliased_actions = {}
end
-
+
# Returns an array of arrays composing from desired action and hash of conditions which match the given ability.
# This is useful if you need to generate a database query based on the current ability.
#
@@ -194,18 +195,21 @@ def clear_aliased_actions
# conditions :read, Article # returns [ [ false, { :blocked => true } ], [ true, { :visible => true } ] ]
#
# Normally you will not call this method directly, but instead go through ActiveRecordAdditions#accessible_by method.
- #
+ #
# If the ability is not defined then false is returned so be sure to take that into consideration.
# If the ability is defined using a block then this will raise an exception since a hash of conditions cannot be
# determined from that.
- def conditions(action, subject)
+ def conditions(action, subject, options = {})
matched = matching_can_definition(action, subject)
unless matched.empty?
- if matched.any?{|can_definition| can_definition.conditions.nil? && can_definition.block }
+ if matched.any?{|can_definition|
+ cond = can_definition.conditions
+ (cond.nil? || cond.empty?) && can_definition.block
+ }
raise Error, "Cannot determine ability conditions from block for #{action.inspect} #{subject.inspect}"
end
matched.map{|can_definition|
- [can_definition.base_behavior, can_definition.conditions]
+ [can_definition.base_behavior, can_definition.conditions(options)]
}
else
false
@@ -226,16 +230,16 @@ def conditions(action, subject)
# If there is just one :can ability, it conditions returned untouched.
# If the ability is defined using a block then this will raise an exception since a hash of conditions cannot be
# determined from that.
- def sql_conditions(action, subject)
- conds = conditions(action, subject)
+ def sql_conditions(action, subject, options = {})
+ conds = conditions(action, subject, options)
return false if conds == false
return (conds[0][1] || {}) if conds.size==1 && conds[0][0] == true # to match previous spec
true_cond = subject.send(:sanitize_sql, ['?=?', true, true])
false_cond = subject.send(:sanitize_sql, ['?=?', true, false])
conds.reverse.inject(nil) do |sql, action|
behavior, condition = action
- if condition
+ if condition && !condition.empty?
condition = "#{subject.send(:sanitize_sql, condition)}"
condition = "not (#{condition})" if behavior == false
else
@@ -268,11 +272,11 @@ def association_joins(action, subject)
end
private
-
+
def can_definitions
@can_definitions ||= []
end
-
+
def matching_can_definition(action, subject)
if block_given?
can_definitions.reverse.each do |can_definition|
@@ -288,7 +292,7 @@ def matching_can_definition(action, subject)
matched
end
end
-
+
def default_alias_actions
{
:read => [:index, :show],
@@ -1,26 +1,26 @@
module CanCan
- # This module is automatically included into all Active Record.
+ # This module is automatically included into all Active Record models.
module ActiveRecordAdditions
module ClassMethods
# Returns a scope which fetches only the records that the passed ability
# can perform a given action on. The action defaults to :read. This
# is usually called from a controller and passed the +current_ability+.
#
# @articles = Article.accessible_by(current_ability)
- #
+ #
# Here only the articles which the user is able to read will be returned.
# If the user does not have permission to read any articles then an empty
# result is returned. Since this is a scope it can be combined with any
# other scopes or pagination.
- #
+ #
# An alternative action can optionally be passed as a second argument.
- #
+ #
# @articles = Article.accessible_by(current_ability, :update)
- #
+ #
# Here only the articles which the user can update are returned. This
# internally uses Ability#conditions method, see that for more information.
def accessible_by(ability, action = :read)
- conditions = ability.sql_conditions(action, self) || {:id => nil}
+ conditions = ability.sql_conditions(action, self, :tableize => true) || {:id => nil}
joins = ability.association_joins(action, self)
if respond_to? :where
where(conditions).joins(joins)
@@ -29,7 +29,7 @@ def accessible_by(ability, action = :read)
end
end
end
-
+
def self.included(base)
base.extend ClassMethods
end
Oops, something went wrong.

0 comments on commit 46f0301

Please sign in to comment.