Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
Choose a Base Repository
ryanb/cancan
AntiTyping/cancan
Arcath/cancan
Banta/cancan
DavidMikeSimon/cancan
DohMoose/cancan
Epictetus/cancan
JDutil/cancan
MitzaCeusan/cancan
NickClark/cancan
Sija/cancan
Sixeight/cancan
acapilleri/cancan
aceofspades/cancan
acesuares/cancan
adammck/cancan
adammiribyan/cancan
adaogavina/cancan
albertobajo/cancan
alexrothenberg/cancan
alistairholt/cancan
alisyed/cancan
amiel/cancan
amw/cancan
andrewreid/cancan
anujaware/cancan
archan937/cancan
argerim/cancan
arkan/cancan
aswani521/cancan
atomgas/cancan
ayb/cancan
benarmston/cancan
bhushangahire/cancan
blackgold9/cancan
bogn/cancan
bray/cancan
bryanrite/cancan
brynary/cancan
bsodmike/cancan
bundacia/cancan
cactis/cancan
caironoleto/cancan
calvinhbj/cancan
ccocchi/cancan
ceccec/cancan
cgunther/cancan
chtrinh/cancan
cloke/cancan
cmar/cancan
cmaujean/cancan
codeprimate/cancan
craigtsmith/cancan
csamuel/cancan
dbalatero/cancan
dchapman1988/cancan
delwyn/cancan
derekprior/cancan
des75/cancan
dhayalan/cancan
dhirengupta/cancan
diagor/cancan
djtek/cancan
doubleotoo/cancan
dpeixoto/cancan
drewblas/cancan
dszczyt/cancan
dynamicguy/cancan
elliottheis/cancan
elmerfreddy/cancan
emiltin/cancan
ericyueyi/cancan
fl00r/cancan
flop/cancan
ganesan/cancan
gpetrica/cancan
harikrishnaprasad/cancan
hbdev012/cancan
hexorx/cancan
hunterae/cancan
iamnader/cancan
igrumov/cancan
ivanvanderbyl/cancan
iverds/cancan
jan-at-ctt/cancan
jaredbeck/cancan
jasonknight/cancan
jduff/cancan
jhjguxin/cancan
jhonathas/cancan
jhuckabee/cancan
jianbo/cancan
jimeh/cancan
jlertle/cancan
jmsunseri/cancan
joerichsen/cancan
jonas8/cancan
jpickett76/cancan
jrom/cancan
juilyoon/cancan
junaid/cancan
justinko/cancan
justzx2011/cancan
kSampath/cancan
kalifs/cancan
kewinwang/cancan
kidoman/cancan
kiote/cancan
kirel/cancan
kirkconnell/cancan
klondyke/cancan
kristianmandrup/cancan
kunalchaudhari/cancan
logandk/cancan
lucidnz/cancan
manishspuri/cancan
marklocklear/cancan
marksim/cancan
matiss/cancan
mauriciozaffari/cancan
maxsum-corin/cancan
mbernilla/cancan
metalspawn/cancan
mjording/cancan
mjtko/cancan
mkarges/cancan
moffff/cancan
mphalliday/cancan
multiplegeorges/cancan
muthhus/cancan
mwean/cancan
mykoweb/cancan
nandalopes/cancan
nertzy/cancan
netconstructor/cancan
nickhoffman/cancan
ollym/cancan
pashka4281/cancan
peelman/cancan
peterkovacs/cancan
plusor/cancan
pointlessone/cancan
portco/cancan
potomak/cancan
prakashsejwani/cancan
pritchie/cancan
rafaalves/cancan
rafeco/cancan
railsdev/cancan
retailnext/cancan
rickychilcott/cancan
ritchiey/cancan
rizwanreza/cancan
robertd/cancan
rogercampos/cancan
romanonthego/cancan
roomnoise/cancan
rouss/cancan
ryanwood/cancan
schleg/cancan
seips-net/cancan
shadowbooker/cancan
shetler/cancan
sinetris/cancan
skaufman/cancan
skhisma/cancan
smartlogic/cancan
smartree/cancan
smashtank/cancan
snapshot/cancan
snowyu/cancan
spatil/cancan
spohlenz/cancan
stellard/cancan
stonefield/cancan
stuffihavemade/cancan
taf2/cancan
tamoyal/cancan
tanordheim/cancan
thatothermitch/cancan
thefury/cancan
thomasjoyce/cancan
tonatiuh/cancan
travis-repos/cancan
ua6ta123/cancan
ulugbekov/cancan
uversity/cancan
vicwin/cancan
vikks/cancan
voxik/cancan
webeau/cancan
whilefalse/cancan
wigsgiw/cancan
xoen/cancan
yannis/cancan
yanowitz/cancan
ycetrey/cancan
yuszuv/cancan
zbruhnke/cancan
zgchurch/cancan
Nothing to show
Choose a base branch
Nothing to show
...
Choose a Head Repository
ryanb/cancan
AntiTyping/cancan
Arcath/cancan
Banta/cancan
DavidMikeSimon/cancan
DohMoose/cancan
Epictetus/cancan
JDutil/cancan
MitzaCeusan/cancan
NickClark/cancan
Sija/cancan
Sixeight/cancan
acapilleri/cancan
aceofspades/cancan
acesuares/cancan
adammck/cancan
adammiribyan/cancan
adaogavina/cancan
albertobajo/cancan
alexrothenberg/cancan
alistairholt/cancan
alisyed/cancan
amiel/cancan
amw/cancan
andrewreid/cancan
anujaware/cancan
archan937/cancan
argerim/cancan
arkan/cancan
aswani521/cancan
atomgas/cancan
ayb/cancan
benarmston/cancan
bhushangahire/cancan
blackgold9/cancan
bogn/cancan
bray/cancan
bryanrite/cancan
brynary/cancan
bsodmike/cancan
bundacia/cancan
cactis/cancan
caironoleto/cancan
calvinhbj/cancan
ccocchi/cancan
ceccec/cancan
cgunther/cancan
chtrinh/cancan
cloke/cancan
cmar/cancan
cmaujean/cancan
codeprimate/cancan
craigtsmith/cancan
csamuel/cancan
dbalatero/cancan
dchapman1988/cancan
delwyn/cancan
derekprior/cancan
des75/cancan
dhayalan/cancan
dhirengupta/cancan
diagor/cancan
djtek/cancan
doubleotoo/cancan
dpeixoto/cancan
drewblas/cancan
dszczyt/cancan
dynamicguy/cancan
elliottheis/cancan
elmerfreddy/cancan
emiltin/cancan
ericyueyi/cancan
fl00r/cancan
flop/cancan
ganesan/cancan
gpetrica/cancan
harikrishnaprasad/cancan
hbdev012/cancan
hexorx/cancan
hunterae/cancan
iamnader/cancan
igrumov/cancan
ivanvanderbyl/cancan
iverds/cancan
jan-at-ctt/cancan
jaredbeck/cancan
jasonknight/cancan
jduff/cancan
jhjguxin/cancan
jhonathas/cancan
jhuckabee/cancan
jianbo/cancan
jimeh/cancan
jlertle/cancan
jmsunseri/cancan
joerichsen/cancan
jonas8/cancan
jpickett76/cancan
jrom/cancan
juilyoon/cancan
junaid/cancan
justinko/cancan
justzx2011/cancan
kSampath/cancan
kalifs/cancan
kewinwang/cancan
kidoman/cancan
kiote/cancan
kirel/cancan
kirkconnell/cancan
klondyke/cancan
kristianmandrup/cancan
kunalchaudhari/cancan
logandk/cancan
lucidnz/cancan
manishspuri/cancan
marklocklear/cancan
marksim/cancan
matiss/cancan
mauriciozaffari/cancan
maxsum-corin/cancan
mbernilla/cancan
metalspawn/cancan
mjording/cancan
mjtko/cancan
mkarges/cancan
moffff/cancan
mphalliday/cancan
multiplegeorges/cancan
muthhus/cancan
mwean/cancan
mykoweb/cancan
nandalopes/cancan
nertzy/cancan
netconstructor/cancan
nickhoffman/cancan
ollym/cancan
pashka4281/cancan
peelman/cancan
peterkovacs/cancan
plusor/cancan
pointlessone/cancan
portco/cancan
potomak/cancan
prakashsejwani/cancan
pritchie/cancan
rafaalves/cancan
rafeco/cancan
railsdev/cancan
retailnext/cancan
rickychilcott/cancan
ritchiey/cancan
rizwanreza/cancan
robertd/cancan
rogercampos/cancan
romanonthego/cancan
roomnoise/cancan
rouss/cancan
ryanwood/cancan
schleg/cancan
seips-net/cancan
shadowbooker/cancan
shetler/cancan
sinetris/cancan
skaufman/cancan
skhisma/cancan
smartlogic/cancan
smartree/cancan
smashtank/cancan
snapshot/cancan
snowyu/cancan
spatil/cancan
spohlenz/cancan
stellard/cancan
stonefield/cancan
stuffihavemade/cancan
taf2/cancan
tamoyal/cancan
tanordheim/cancan
thatothermitch/cancan
thefury/cancan
thomasjoyce/cancan
tonatiuh/cancan
travis-repos/cancan
ua6ta123/cancan
ulugbekov/cancan
uversity/cancan
vicwin/cancan
vikks/cancan
voxik/cancan
webeau/cancan
whilefalse/cancan
wigsgiw/cancan
xoen/cancan
yannis/cancan
yanowitz/cancan
ycetrey/cancan
yuszuv/cancan
zbruhnke/cancan
zgchurch/cancan
Nothing to show
Choose a head branch
Nothing to show
Commits on Aug 07, 2010
Commits on Aug 17, 2010
Commits on Aug 18, 2010
Commits on Aug 20, 2010
Commits on Aug 30, 2010
Commits on Aug 31, 2010
Commits on Sep 02, 2010
Commits on Sep 03, 2010
Commits on Sep 07, 2010
Commits on Sep 08, 2010
Commits on Sep 09, 2010
Commits on Sep 16, 2010
Commits on Sep 20, 2010
Commits on Sep 21, 2010
Commits on Sep 23, 2010
Commits on Oct 04, 2010
Commits on Oct 05, 2010
Commits on Oct 08, 2010
Commits on Oct 13, 2010
Commits on Oct 14, 2010
Fix accessible_by for Mongoid documents when no ability is defined.
The previous spec that checked for this was not right, since there were no documents in the collection, so every query would return an empty result.
Commits on Oct 15, 2010
Fix bug with CanDefinition#tableized_conditions being used with Mongo…
…id documents and add more specs for accesible_by with Mongoid.
Fix bug with Mongoid document where :manage :all caused accessible_by…
… to return nothing and add specs to test for :manage :all.
Commits on Nov 12, 2010
This fixes an odd error I was seeing in development mode when cache_c…
…lasses = false (the default), specifically when loading an object throught the parent in load_and_authorize_resource.

Assume Photo model and User model where user has many photos:

@photo = current_user.photos.find(1) # this returns a photo
@photo1 = Photo.find(1)

@photo.kind_of?(Photo) is not always true for some reason when class_cacheing is false.  Where as @photo1.kind_of?(Photo) always appears to be true.  Of interesting note, in the above example @photo != @photo1 if kind_of? is false.  Very odd.
 
Again, this only appears to be when loading and object through an association.
checks if active record responds to 'joins', so this can work with in…
…ternuity's quick_scopes gem; added .swp files to git ignore
Fix NoMethodError
Raises NoMethodError when using ":singleton => true, :shallow => true" and parent_resource is nil
Commits on Nov 16, 2010
can? should only go to db if there are mongoid criteria in the condit…
…ions.

Easier to just do a simple comparison on the object in memory
than to search the database.  Also this allows method calls
and other attributes that might not be found in the database.
Commits on Nov 17, 2010
Commits on Dec 21, 2010
Commits on Dec 26, 2010
Fix bug with MongoidAdditions throwing a NameError when Mongoid is no…
…t defined by always checking if Mongoid is defined before referencing Mongoid-related constants

Also add spec for this bug
Commits on Dec 28, 2010
Commits on Dec 29, 2010
Add support and tests for datamapper.
This broke some of the mongoid tests and I don't know how to fix them.  Both packages
  define Symbol#in, and when you load them both things don't behave properly.  Hopefully
  someone more versed in mongoid can rewrite the spec to not depend on the Symbol extensions.
moving model adapter specs into their own directory with MODEL_ADAPTE…
…R environment variable for choosing which one to run
Commits on Dec 30, 2010
Commits on Jan 03, 2011
Automatically add `accessible_by` to Mongoid Documents to match CanCa…
…n behavior for ActiveRecord and DataMapper.

Previously, CanCan::ModelAdditions had to be included in each and every Mongoid document separately. Also removed manual include of CanCan::ModelAdditions from Mongoid documents in Mongoid adapter specs.
Commits on Jan 04, 2011
Commits on Jan 05, 2011
Commits on Jan 06, 2011
Commits on Jan 07, 2011
Commits on Jan 08, 2011
Commits on Jan 09, 2011
Commits on Jan 11, 2011
Commits on Jan 18, 2011
Commits on Jan 19, 2011
Commits on Jan 20, 2011
Commits on Jan 28, 2011
Commits on Feb 03, 2011
Commits on Feb 04, 2011
Commits on Feb 14, 2011
Commits on Feb 17, 2011
Commits on Feb 22, 2011
Commits on Mar 08, 2011
Commits on Mar 09, 2011
Commits on Mar 11, 2011
Commits on Mar 16, 2011
Adam Wróbel
Adam Wróbel
Fixes inherited_resources collection authorization
This reverts e3eab13

I don't know what was the idea of that, but it turned out REAL bad.

`collection` sets the collection instance variable. `resource_base` is used all
over CanCan. It's also used inside `load_collection?` which is checked before
`load_collection` is called. That means we actually set the collection instance
variable through inherited_resources (without any authorization whatsoever) before trying to load it through CanCan using `accessible_by`.

    1. def load_resource
    2.  unless skip?(:load)
    3.    if load_instance?
    4.      self.resource_instance ||= load_resource_instance
    5.    elsif load_collection?
    6.      self.collection_instance ||= load_collection
    7.    end
    8.  end
    9. end

`collection_instance` is set on line 5 instead of line 6.
making accessible_by action default to :index and parent action defau…
…lt to :show so we don't check :read action directly - closes #302
Showing with 2,374 additions and 817 deletions.
  1. +4 −0 .gitignore
  2. +1 −0 .rspec
  3. +1 −0 .rvmrc
  4. +133 −2 CHANGELOG.rdoc
  5. +20 −0 Gemfile
  6. +1 −1 LICENSE
  7. +46 −87 README.rdoc
  8. +12 −7 Rakefile
  9. +7 −2 cancan.gemspec
  10. +9 −3 lib/cancan.rb
  11. +116 −51 lib/cancan/ability.rb
  12. +0 −104 lib/cancan/can_definition.rb
  13. +158 −14 lib/cancan/controller_additions.rb
  14. +101 −18 lib/cancan/controller_resource.rb
  15. +8 −1 lib/cancan/exceptions.rb
  16. +19 −0 lib/cancan/inherited_resource.rb
  17. +2 −1 lib/cancan/matchers.rb
  18. +51 −0 lib/cancan/model_adapters/abstract_adapter.rb
  19. +165 −0 lib/cancan/model_adapters/active_record_adapter.rb
  20. +33 −0 lib/cancan/model_adapters/data_mapper_adapter.rb
  21. +7 −0 lib/cancan/model_adapters/default_adapter.rb
  22. +38 −0 lib/cancan/model_adapters/mongoid_adapter.rb
  23. +7 −18 lib/cancan/{active_record_additions.rb → model_additions.rb}
  24. +0 −97 lib/cancan/query.rb
  25. +142 −0 lib/cancan/rule.rb
  26. +4 −0 lib/generators/cancan/ability/USAGE
  27. +11 −0 lib/generators/cancan/ability/ability_generator.rb
  28. +28 −0 lib/generators/cancan/ability/templates/ability.rb
  29. +28 −0 spec/README.rdoc
  30. +212 −56 spec/cancan/ability_spec.rb
  31. +0 −51 spec/cancan/active_record_additions_spec.rb
  32. +0 −44 spec/cancan/can_definition_spec.rb
  33. +94 −29 spec/cancan/controller_additions_spec.rb
  34. +246 −96 spec/cancan/controller_resource_spec.rb
  35. +42 −0 spec/cancan/inherited_resource_spec.rb
  36. +263 −0 spec/cancan/model_adapters/active_record_adapter_spec.rb
  37. +115 −0 spec/cancan/model_adapters/data_mapper_adapter_spec.rb
  38. +7 −0 spec/cancan/model_adapters/default_adapter_spec.rb
  39. +185 −0 spec/cancan/model_adapters/mongoid_adapter_spec.rb
  40. +0 −107 spec/cancan/query_spec.rb
  41. +39 −0 spec/cancan/rule_spec.rb
  42. +1 −1 spec/matchers.rb
  43. +1 −0 spec/spec.opts
  44. +17 −27 spec/spec_helper.rb
View
@@ -1 +1,5 @@
+*.swp
+**/*.swp
*.gem
+Gemfile.lock
+.bundle
View
1 .rspec
@@ -0,0 +1 @@
+--color
View
1 .rvmrc
@@ -0,0 +1 @@
+rvm use 1.8.7@cancan --create
View
@@ -1,11 +1,142 @@
+1.6.1 (March 15, 2011)
+
+* Use Item.new instead of build_item for singleton resource so it doesn't effect database - see issue #304
+
+* Made accessible_by action default to :index and parent action default to :show instead of :read - see issue #302
+
+* Reverted Inherited Resources "collection" override since it doesn't seem to be working - see issue #305
+
+
+1.6.0 (March 11, 2011)
+
+* Added MetaWhere support - see issue #194 and #261
+
+* Allow Active Record scopes in Ability conditions - see issue #257
+
+* Added :if and :unless options to check_authorization - see issue #284
+
+* Several Inherited Resources fixes (thanks aq1018, tanordheim and stefanoverna)
+
+* Pass action name to accessible_by call when loading a collection (thanks amw)
+
+* Added :prepend option to load_and_authorize_resource to load before other filters - see issue #290
+
+* Fixed spacing issue in I18n message for multi-word model names - see issue #292
+
+* Load resource collection for any action which doesn't have an "id" parameter - see issue #296
+
+* Raise an exception when trying to make a Ability condition with both a hash of conditions and a block - see issue #269
+
+
+1.5.1 (January 20, 2011)
+
+* Fixing deeply nested conditions in Active Record adapter - see issue #246
+
+* Improving Mongoid support for multiple can and cannot definitions (thanks stellard) - see issue #239
+
+
+1.5.0 (January 11, 2011)
+
+* Added an Ability generator - see issue #170
+
+* Added DataMapper support (thanks natemueller)
+
+* Added Mongoid support (thanks bowsersenior)
+
+* Added skip_load_and_authorize_resource methods to controller class - see issue #164
+
+* Added support for uncountable resources in index action - see issue #193
+
+* Cleaned up README and added spec/README
+
+* Internal: renamed CanDefinition to Rule
+
+* Internal: added a model adapter layer for easily supporting more ORMs
+
+* Internal: added .rvmrc to auto-switch to 1.8.7 with gemset - see issue #231
+
+
+1.4.1 (November 12, 2010)
+
+* Renaming skip_authorization to skip_authorization_check - see issue #169
+
+* Adding :through_association option to load_resource (thanks hunterae) - see issue #171
+
+* The :shallow option now works with the :singleton option (thanks nandalopes) - see issue #187
+
+* Play nicely with quick_scopes gem (thanks ramontayag) - see issue #183
+
+* Fix odd behavior when "cache_classes = false" (thanks mphalliday) - see issue #174
+
+
+1.4.0 (October 5, 2010)
+
+* Adding Gemfile; to get specs running just +bundle+ and +rake+ - see issue #163
+
+* Stop at 'cannot' definition when there are no conditions - see issue #161
+
+* The :through option will now call a method with that name if instance variable doesn't exist - see issue #146
+
+* Adding :shallow option to load_resource to bring back old behavior of fetching a child without a parent
+
+* Raise AccessDenied error when loading a child and parent resource isn't found
+
+* Abilities defined on a module will apply to anything that includes that module - see issue #150 and #152
+
+* Abilities can be defined with a string of SQL in addition to a block so accessible_by works with a block - see issue #150
+
+* Adding better support for InheritedResource - see issue #23
+
+* Loading the collection instance variable (for index action) using accessible_by - see issue #137
+
+* Adding action and subject variables to I18n unauthorized message - closes #142
+
+* Adding check_authorization and skip_authorization controller class methods to ensure authorization is performed (thanks justinko) - see issue #135
+
+* Setting initial attributes based on ability conditions in new/create actions - see issue #114
+
+* Check parent attributes for nested association in index action - see issue #121
+
+* Supporting nesting in can? method using hash - see issue #121
+
+* Adding I18n support for Access Denied messages (thanks EppO) - see issue #103
+
+* Passing no arguments to +can+ definition will pass action, class, and object to block - see issue #129
+
+* Don't pass action to block in +can+ definition when using :+manage+ option - see issue #129
+
+* No longer calling block in +can+ definition when checking on class - see issue #116
+
+
+1.3.4 (August 31, 2010)
+
+* Don't stop at +cannot+ with hash conditions when checking class (thanks tamoya) - see issue #131
+
+
+1.3.3 (August 20, 2010)
+
+* Switching to Rspec namespace to remove deprecation warning in Rspec 2 - see issue #119
+
+* Pluralize nested associations for conditions in accessible_by (thanks mlooney) - see issue #123
+
+
+1.3.2 (August 7, 2010)
+
+* Fixing slice error when passing in custom resource name - see issue #112
+
+
+1.3.1 (August 6, 2010)
+
+* Fixing protected sanitize_sql error - see issue #111
+
+
1.3.0 (August 6, 2010)
* Adding :find_by option to load_resource - see issue #19
* Adding :singleton option to load_resource - see issue #93
-* Supporting multiple resources in :through option for polymorphic
-associations - see issue #73
+* Supporting multiple resources in :through option for polymorphic associations - see issue #73
* Supporting Single Table Inheritance for "can" comparisons - see issue #55
View
20 Gemfile
@@ -0,0 +1,20 @@
+source "http://rubygems.org"
+
+case ENV["MODEL_ADAPTER"]
+when nil, "active_record"
+ gem "sqlite3"
+ gem "activerecord", :require => "active_record"
+ gem "with_model"
+ gem "meta_where"
+when "data_mapper"
+ gem "dm-core", "~> 1.0.2"
+ gem "dm-sqlite-adapter", "~> 1.0.2"
+ gem "dm-migrations", "~> 1.0.2"
+when "mongoid"
+ gem "bson_ext", "~> 1.1"
+ gem "mongoid", "~> 2.0.0.beta.20"
+else
+ raise "Unknown model adapter: #{ENV["MODEL_ADAPTER"]}"
+end
+
+gemspec
View
@@ -1,4 +1,4 @@
-Copyright (c) 2009 Ryan Bates
+Copyright (c) 2011 Ryan Bates
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
View
@@ -1,61 +1,57 @@
= CanCan
-Wiki[http://wiki.github.com/ryanb/cancan] | RDocs[http://rdoc.info/projects/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan]
+Wiki[https://github.com/ryanb/cancan/wiki] | RDocs[http://rdoc.info/projects/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan]
-CanCan is an authorization solution for Ruby on Rails for restricting what a given user is allowed to access throughout the application. It does not care how your user roles are defined, it simply focusses on keeping permission logic in a single location (the +Ability+ class) so it is not duplicated across controllers, views, and database queries.
-
-By default, the +current_user+ method is required, so if you have not already, set up some authentication (such as Authlogic[http://github.com/binarylogic/authlogic] or Devise[http://github.com/plataformatec/devise]). See {Changing Defaults}[http://wiki.github.com/ryanb/cancan/changing-defaults] if you need different behavior.
+CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the +Ability+ class) and not duplicated across controllers, views, and database queries.
== Installation
-To install CanCan, include the gem in the environment.rb in Rails 2.3.
+In <b>Rails 3</b>, add this to your Gemfile and run the +bundle+ command.
- config.gem "cancan"
+ gem "cancan"
-Or the Gemfile in Rails 3.
+In <b>Rails 2</b>, add this to your environment.rb file.
- gem "cancan"
+ config.gem "cancan"
-Alternatively it can be installed as a plugin.
+Alternatively, you can install it as a plugin.
- script/plugin install git://github.com/ryanb/cancan.git
+ rails plugin install git://github.com/ryanb/cancan.git
== Getting Started
-First, define a class called +Ability+ in "models/ability.rb" or anywhere else in the load path. It should look something like this.
+CanCan expects a +current_user+ method to exist in the controller. First, set up some authentication (such as Authlogic[https://github.com/binarylogic/authlogic] or Devise[https://github.com/plataformatec/devise]). See {Changing Defaults}[https://github.com/ryanb/cancan/wiki/changing-defaults] if you need different behavior.
- class Ability
- include CanCan::Ability
- def initialize(user)
- if user.admin?
- can :manage, :all
- else
- can :read, :all
- end
- end
- end
+=== 1. Define Abilities
+
+User permissions are defined in an +Ability+ class. CanCan 1.5 includes a Rails 3 generator for creating this class.
-This is where all permissions will go. See the "Defining Abilities" section below for more information.
+ rails g cancan:ability
-The current user's permissions can be accessed using the "can?" and "cannot?" methods in the view and controller.
+See {Defining Abilities}[https://github.com/ryanb/cancan/wiki/defining-abilities] for details.
+
+
+=== 2. Check Abilities & Authorization
+
+The current user's permissions can then be checked using the <tt>can?</tt> and <tt>cannot?</tt> methods in the view and controller.
<% if can? :update, @article %>
<%= link_to "Edit", edit_article_path(@article) %>
<% end %>
-See {Checking Abilities}[http://wiki.github.com/ryanb/cancan/checking-abilities] for more information
+See {Checking Abilities}[https://github.com/ryanb/cancan/wiki/checking-abilities] for more information
-The "authorize!" method in the controller will raise an exception if the user is not able to perform the given action.
+The <tt>authorize!</tt> method in the controller will raise an exception if the user is not able to perform the given action.
def show
@article = Article.find(params[:id])
authorize! :read, @article
end
-Setting this for every action can be tedious, therefore the +load_and_authorize_resource+ method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before filter to load the resource into an instance variable and authorize it for each action.
+Setting this for every action can be tedious, therefore the +load_and_authorize_resource+ method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before filter to load the resource into an instance variable and authorize it for every action.
class ArticlesController < ApplicationController
load_and_authorize_resource
@@ -65,88 +61,51 @@ Setting this for every action can be tedious, therefore the +load_and_authorize_
end
end
-See {Authorizing Controller Actions}[http://wiki.github.com/ryanb/cancan/authorizing-controller-actions] for more information
+See {Authorizing Controller Actions}[https://github.com/ryanb/cancan/wiki/authorizing-controller-actions] for more information.
+
-If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the +ApplicationController+.
+=== 3. Handle Unauthorized Access
+
+If the user authorization fails, a <tt>CanCan::AccessDenied</tt> exception will be raised. You can catch this and modify its behavior in the +ApplicationController+.
class ApplicationController < ActionController::Base
rescue_from CanCan::AccessDenied do |exception|
- flash[:error] = exception.message
- redirect_to root_url
+ redirect_to root_url, :alert => exception.message
end
end
-See {Exception Handling}[http://wiki.github.com/ryanb/cancan/exception-handling] for more information.
-
-
-== Defining Abilities
-
-As shown above, the +Ability+ class is where all user permissions are defined. The user model is passed into the initialize method so the permissions can be modified based on any user attributes. CanCan makes no assumptions about how roles are handled in your application. See {Role Based Authorization}[http://wiki.github.com/ryanb/cancan/role-based-authorization] for an example.
+See {Exception Handling}[https://github.com/ryanb/cancan/wiki/exception-handling] for more information.
-The +can+ method is used to define permissions and requires two arguments. The first one is the action you're setting the permission for, the second one is the class of object you're setting it on.
- can :update, Article
+=== 4. Lock It Down
-You can pass an array for either of these parameters to match any one. In this case the user will have the ability to update or destroy both articles and comments.
+If you want to ensure authorization happens on every action in your application, add +check_authorization+ to your ApplicationController.
- can [:update, :destroy], [Article, Comment]
-
-Use :+manage+ to represent any action and :+all+ to represent any class. Here are some examples.
-
- can :manage, Article # has permissions to do anything to articles
- can :read, :all # has permission to read any model
- can :manage, :all # has permission to do anything to any model
-
-You can pass a hash of conditions as the third argument to further restrict what the user is able to access. Here the user will only have permission to read active projects which he owns.
-
- can :read, Project, :active => true, :user_id => user.id
-
-See {Defining Abilities with Hashes}[http://wiki.github.com/ryanb/cancan/defining-abilities-with-hashes] for more information.
-
-Blocks can also be used if you need more control.
-
- can :update, Project do |project|
- project && project.groups.include?(user.group)
+ class ApplicationController < ActionController::Base
+ check_authorization
end
-If the block returns true then the user has that :+update+ ability for that project, otherwise he will be denied access. See {Defining Abilities with Blocks}[http://wiki.github.com/ryanb/cancan/defining-abilities-with-blocks] for more information.
-
-
-== Aliasing Actions
-
-You will usually be working with four actions when defining and checking permissions: :+read+, :+create+, :+update+, :+destroy+. These aren't the same as the 7 RESTful actions in Rails. CanCan automatically adds some default aliases for mapping those actions.
-
- alias_action :index, :show, :to => :read
- alias_action :new, :to => :create
- alias_action :edit, :to => :update
-
-Notice the +edit+ action is aliased to +update+. If the user is able to update a record he also has permission to edit it. You can define your own aliases in the +Ability+ class
-
- alias_action :update, :destroy, :to => :modify
- can :modify, Comment
- can? :update, Comment # => true
-
-See {Custom Actions}[http://wiki.github.com/ryanb/cancan/custom-actions] for information on adding other actions.
+This will raise an exception if authorization is not performed in an action. If you want to skip this add +skip_authorization_check+ to a controller subclass. See {Ensure Authorization}[https://github.com/ryanb/cancan/wiki/Ensure-Authorization] for more information.
-== Fetching Records
+== Wiki Docs
-In the controller +index+ action you may want to fetch only the records which the user has permission to read. You can do this with the +accessible_by+ scope.
+* {Upgrading to 1.6}[https://github.com/ryanb/cancan/wiki/Upgrading-to-1.6]
+* {Defining Abilities}[https://github.com/ryanb/cancan/wiki/Defining-Abilities]
+* {Checking Abilities}[https://github.com/ryanb/cancan/wiki/Checking-Abilities]
+* {Authorizing Controller Actions}[https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions]
+* {Exception Handling}[https://github.com/ryanb/cancan/wiki/Exception-Handling]
+* {Changing Defaults}[https://github.com/ryanb/cancan/wiki/Changing-Defaults]
+* {See more}[https://github.com/ryanb/cancan/wiki]
- @articles = Article.accessible_by(current_ability)
-See {Fetching Records}[http://wiki.github.com/ryanb/cancan/fetching-records] for more information.
+== Questions or Problems?
+If you have any issues with CanCan which you cannot find the solution to in the documentation[https://github.com/ryanb/cancan/wiki], please add an {issue on GitHub}[https://github.com/ryanb/cancan/issues] or fork the project and send a pull request.
-== Additional Docs
+To get the specs running you should call +bundle+ and then +rake+. See the {spec/README}[https://github.com/ryanb/cancan/blob/master/spec/README.rdoc] for more information.
-* {Upgrading to 1.3}[http://wiki.github.com/ryanb/cancan/upgrading-to-13]
-* {Nested Resources}[http://wiki.github.com/ryanb/cancan/nested-resources]
-* {Testing Abilities}[http://wiki.github.com/ryanb/cancan/testing-abilities]
-* {Accessing Request Data}[http://wiki.github.com/ryanb/cancan/accessing-request-data]
-* {Admin Namespace}[http://wiki.github.com/ryanb/cancan/admin-namespace]
-* {See more}[http://wiki.github.com/ryanb/cancan/]
== Special Thanks
-CanCan was inspired by declarative_authorization[http://github.com/stffn/declarative_authorization/] and aegis[http://github.com/makandra/aegis]. Also many thanks to the CanCan contributors[http://github.com/ryanb/cancan/contributors]. See the CHANGELOG[http://github.com/ryanb/cancan/blob/master/CHANGELOG.rdoc] for the full list.
+CanCan was inspired by declarative_authorization[https://github.com/stffn/declarative_authorization/] and aegis[https://github.com/makandra/aegis]. Also many thanks to the CanCan contributors[https://github.com/ryanb/cancan/contributors]. See the CHANGELOG[https://github.com/ryanb/cancan/blob/master/CHANGELOG.rdoc] for the full list.
Oops, something went wrong.

Showing you all comments on commits in this comparison.

Thanks Ryan. Now I have justification for not spec'ing authorization at the controller level :)

@ghost

ghost commented on 5a353c1 Sep 27, 2010

This is a subtle, but important difference between 1.3.3 and 1.3.4, for consider the following block, which will evaluate to true

@ability.can :read, :all
@ability.cannot :read, Integer
@ability.can?(:read, Integer)
Owner

ryanb commented on 8f49f28 Oct 4, 2010

Commit message for this is wrong, it should read "stop at cannot definition when there are no conditions".

httpss breaks link for me :(

Note: ActiveRecord::Relation is a Rails 3 ism. (I know because I tried to use the latest cancan on my Rails 2 project and it didn't work).

I don't know if you want to fix this to make this compatible with Rails 2, or say any cancan version after 1.5.1 (when this change is introduced) is not supported under Rails 3

Owner

ryanb commented on f9b181a Mar 19, 2011

It should be easy enough to check if this is defined or not so Rails 2 support can continue. I'll try to get this fixed soon. See issue #312 for this.

Owner

ryanb commented on f9b181a Mar 25, 2011

This is fixed now in the latest release (1.6.3)

Contributor

flop commented on 3f6cecb Apr 4, 2011

Just got a little suprise with this change, before/after_add callbacks on has_many association are not called any more when initializing nested resources with 'new' instead of 'build'
[Edit : Sorry wrong commit, 'new' was already used before but callbacks aren't called anyway ;)]

I did some digging on the issue # 204, and I think that the problem is with this commit, the merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior) is not producing the result we want.

I'm sorry turns out I tested it wrong....I'll come up with a fix hopefully
EDIT: merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior) is actually giving the correct individual parts of the SQL script to be performed. However, all combined, this part:

@rules.reverse.inject(false_sql) do |sql, rule|
    merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
end

is messing up those parts and is always giving out (1=1) instead. I have a couple of hack fixes on top of my head, but I think I will need more time to think about an elegant fix.

Ryan, why do you use ActiveRecrod connection when you use supermodel gem. You could define all those models in spec_helper like you did for Project and Category? Or there's some magic hidden?