Permalink
Browse files

don't authorize uncountable instance in collection action - closes #193

  • Loading branch information...
1 parent 15ca8ad commit bc9ecb226d5f5c37f8f77926271e542ffb075908 @ryanb committed Jan 5, 2011
Showing with 23 additions and 4 deletions.
  1. +7 −4 lib/cancan/controller_resource.rb
  2. +16 −0 spec/cancan/controller_resource_spec.rb
@@ -26,7 +26,7 @@ def load_and_authorize_resource
end
def load_resource
- if parent? || member_action?
+ if load_instance?
self.resource_instance ||= load_resource_instance
elsif load_collection?
self.collection_instance ||= load_collection
@@ -51,9 +51,12 @@ def load_resource_instance
end
end
+ def load_instance?
+ parent? || member_action?
+ end
+
def load_collection?
- resource_base.respond_to?(:accessible_by) &&
- !current_ability.has_block?(authorization_action, resource_class)
+ resource_base.respond_to?(:accessible_by) && !current_ability.has_block?(authorization_action, resource_class)
end
def load_collection
@@ -116,7 +119,7 @@ def resource_instance=(instance)
end
def resource_instance
- @controller.instance_variable_get("@#{instance_name}")
+ @controller.instance_variable_get("@#{instance_name}") if load_instance?
end
def collection_instance=(instance)
@@ -91,6 +91,22 @@
@controller.instance_variable_defined?(:@projects).should be_false
end
+ it "should not authorize single resource in collection action" do
+ @params[:action] = "index"
+ @controller.instance_variable_set(:@project, :some_project)
+ stub(@controller).authorize!(:index, Project) { raise CanCan::AccessDenied }
+ resource = CanCan::ControllerResource.new(@controller)
+ lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+ end
+
+ it "should authorize parent resource in collection action" do
+ @params[:action] = "index"
+ @controller.instance_variable_set(:@category, :some_category)
+ stub(@controller).authorize!(:read, :some_category) { raise CanCan::AccessDenied }
+ resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
+ lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+ end
+
it "should perform authorization using controller action and loaded model" do
@params[:action] = "show"
@controller.instance_variable_set(:@project, :some_project)

0 comments on commit bc9ecb2

Please sign in to comment.