Skip to content

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
Commits on Mar 24, 2011
@ryanb modifying Ability to use symbol for subject instead of class, also ad…
…ding subject aliases
@ryanb getting all specs passing again 3a825ed
@ryanb adding enable_authorization method and deprecating some other control…
…ler methods
@ryanb allow strings along with symbols in Ability definition and checking a03d352
Commits on Mar 25, 2011
@ryanb adding attributes as 3rd argument to can and can? calls 85efbdb
@ryanb adding fully_authorized? method to Ability to check if conditions are…
… considered in authorize! call
@ryanb require attributes to be checked on create/update action in order to …
…be fully authorized
@ryanb refactoring fully authorized check and catching bug 242e912
@ryanb check authorization is sufficient in an after_filter when doing enabl…
@ryanb merging with master bcac159
@ryanb renaming AccessDenied exception to Unauthorized cf2896f
@ryanb passing block to enable_authorization will be executed when CanCan::U…
…nauthorized exception is raised
@ryanb removing skipping feature in ControllerResource for now 5d68cae
@ryanb mark index action as fully authorized when fetching records through a…
@ryanb don't authorize based on resource name in authorize_resource since th…
…is is already handled by enable_authorization
Commits on Mar 26, 2011
@ryanb authorize params passed in create and update action baa1dac
@ryanb fixing marking fully_authorized on an object instance e5b7621
@ryanb updating some documentation for CanCan 2.0 c6f9abb
Commits on Apr 21, 2011
@ryanb allow SQL conditions to be used with a block 63865cc
Commits on May 16, 2011
@ryanb updating version in gemspec to alpha 5a64d94
Commits on May 19, 2011
@ryanb merging master into 2.0 e24d5d1
@ryanb changing the interface for ControllerResource load/authorize so they …
…can be intertwined
@ryanb set resource attributes in update action and authorize after set - cl…
…oses #141
Commits on Jun 13, 2011
@ryanb load member through method instead of instance variable to improve de…
…cent_exposure support
Commits on Sep 28, 2011
@ryanb fixing model comparison spec, I believe this bug is caused by recent …
…version of with_model
@ryanb include tests with cancan:ability generator - closes #350 6c1d685
@ryanb fixing ability generator 0442634
@ryanb merging 1.6 additions into 2.0 branch 86063e4
@ryanb Merge branch 'master' into 2.0 2160183
@ryanb fixing namespace controller resource spec 092b510
@ryanb Merge branch 'master' into 2.0 67c9361
@ryanb fixing spec for new id_param option eafd6cf
@jnv jnv Add failing example of `cannot` for attribute, corresponds to #406 aa83fee
@ryanb ignore cannot clause with attributes when not checking for with attri…
…butes - closes #406
@ryanb consider specificity when finding relevant rules so generic rules wil…
…l not override specific ones - closes #321
@ryanb include namespace in params when creating/updating resource - closes #… c94de4a
Commits on Apr 22, 2012
@ryanb switching to Rspec stubbing/mocking - no more RR b37f2d0
@ryanb changing should spec wording ec36137
@ryanb removing .rvmrc, no need for a gemset with Bundler 8c72ab4
@ryanb disabling MetaWhere feature and making Acitve Record fixture that is …
…always loaded
@ryanb upgrading specs to use Rails 3.2.3 88cd11b
Commits on Apr 23, 2012
@ryanb getting data_mapper and mongoid specs passwing with latest versions 167d383
Commits on May 11, 2012
@bsodmike bsodmike cancan 2.0 fix for issue #565; fixes namespaced non-db/model backed r…
…esources authorization
@bsodmike bsodmike cancan 2.0 fix for issue #565; test to properly authorize resource fo…
…r namespaced controller
@ryanb Merge pull request #570 from bsodmike/bsodmike-2.0
Cancan 2.0 fix for issue #565; fixes namespaced non-db/model backed resources authorization
@ryanb fixing Ruby versions running on travis.yml ccd24ab
Commits on May 30, 2012
@ollym ollym Named resources were not being loaded correctly. Fixes #633 78cbcf1
Commits on May 31, 2012
@ollym ollym Classify causes plural model names to be incorrectly renamed
Some model names will be renamed incorrectly e.g. 'business'. It should
be the responsibility of the user to make sure they use a name that
directly corresponds to the model name. The only filtering performed
should be camelize.
Commits on Jun 04, 2012
@ollym ollym Fixed bug where parent resources were being regarded as children 354e34b
Commits on Jun 11, 2012
@ryanb Merge pull request #635 from ollym/2.0
Named resources were not loading correctly in 2.0
Commits on Jun 26, 2012
@ryanb tests passing with Rails 3.2.6 de000fd
Commits on Jun 27, 2012
@ryanb bringing up to date with master branch 6886aec
Commits on Jun 29, 2012
@xinuc xinuc fix namespace split, so we can use / for namespace 6c1828a
Commits on Jul 02, 2012
@ryanb Merge pull request #668 from bukalapak/2.0
Fix namespace split
Commits on Jul 05, 2012
@maxprokopiev maxprokopiev Fix mongoid example according to ability precedence. Closes #672 17043ca
Commits on Sep 28, 2012
Matt Culpepper load hooks return ActiveRecord::Model in Rails 4, use Concern 9550154
Commits on Sep 29, 2012
@ryanb Merge pull request #751 from mculp/2.0
fixes #750 - load hooks return ActiveRecord::Model in Rails 4, use Concern
Commits on Oct 04, 2012
@Serabe Serabe Solves problem when authorizing new action.
Given two models Category and Projects. A Category has_many
projects and Project belongs_to a category. Furthermore,
projects are shallow nested resources in a category.

Let's say that a user can edit certain category's projects
(and only one category can be edited by each user [1]), this is
expressed with the following line in Ability model:

can :new, :projects, category_id: user.category_id

Given the old implementation, we get that any user can 'new'
(though not 'create') a project in any category:

def assign_attributes(resource)
  resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
  initial_attributes.each do |attr_name, value|
    resource.send("#{attr_name}=", value)

In this case, category_id in project would get overwritten
inside the initial_attributes loop and authorization would pass.
I consider this a buggy behaviour.

[1] User belongs_to a category, and a Category has many
users. On the other hand, there might be users without
any category.

Commits on Feb 22, 2013
@ryanb Merge pull request #754 from Serabe/new_authorization_bug
Solves problem when authorizing new action.
@ryanb Merge pull request #673 from juggler/rules_order
Changes rules order in mongoid specs. Fixes #672