only bulk destroy authorized records

app/controllers/rails_admin/main_controller.rb

@@ -129,14 +129,19 @@ def destroy
     end
 
     def bulk_delete
+      @authorization_adapter.authorize(:bulk_delete, @abstract_model) if @authorization_adapter
+
       @page_name = t("admin.actions.delete").capitalize + " " + @model_config.list.label.downcase
       @page_type = @abstract_model.pretty_name.downcase
 
       render :layout => 'rails_admin/delete'
     end
 
     def bulk_destroy
-      @destroyed_objects = @abstract_model.destroy(params[:bulk_ids])
+      @authorization_adapter.authorize(:bulk_destroy, @abstract_model) if @authorization_adapter
+
+      scope = @authorization_adapter && @authorization_adapter.query(params[:action].to_sym, @abstract_model)
+      @destroyed_objects = @abstract_model.destroy(params[:bulk_ids], scope)
 
       @destroyed_objects.each do |object|
         message = "Destroyed #{@model_config.list.with(:object => object).object_label}"
@@ -161,8 +166,10 @@ def handle_error(e)
     private
 
     def get_bulk_objects
+      scope = @authorization_adapter && @authorization_adapter.query(params[:action].to_sym, @abstract_model)
       @bulk_ids = params[:bulk_ids]
-      @bulk_objects = @abstract_model.get_bulk(@bulk_ids)
+      @bulk_objects = @abstract_model.get_bulk(@bulk_ids, scope)
+
       not_found unless @bulk_objects
     end
 

lib/rails_admin/adapters/active_record.rb

@@ -11,15 +11,11 @@ def get(id)
         else
           nil
         end
-      # TODO: ActiveRecord::Base.find_by_id will never raise RecordNotFound, will it?
-      rescue ActiveRecord::RecordNotFound 
-        nil
       end
 
-      def get_bulk(ids)
-        model.find(ids)
-      rescue ActiveRecord::RecordNotFound
-        nil
+      def get_bulk(ids, scope = nil)
+        scope ||= model
+        scope.find_all_by_id(ids)
       end
 
       def count(options = {}, scope = nil)
@@ -59,8 +55,9 @@ def new(params = {})
         RailsAdmin::AbstractObject.new(model.new)
       end
 
-      def destroy(ids)
-        model.destroy(ids)
+      def destroy(ids, scope = nil)
+        scope ||= model
+        scope.destroy_all(:id => ids)
       end
 
       def destroy_all!

lib/rails_admin/authorization_adapters/cancan_adapter.rb

@@ -34,7 +34,7 @@ def translate_action(action)
         case action
         when :index then nil # we don't want to do extra action authorization for dashboard
         when :list then :index
-        when :delete then :destroy
+        when :delete, :bulk_delete, :bulk_destroy then :destroy
         else action
         end
       end

spec/requests/authorization/cancan_spec.rb

@@ -158,6 +158,21 @@ def initialize(user)
         }.should raise_error(CanCan::AccessDenied)
       end
 
+      it "GET /admin/player/bulk_delete should render and destroy records which are authorized to" do
+        active_player = RailsAdmin::AbstractModel.new("Player").create(:team_id => rand(99999), :number => 32, :name => "Leonardo", :retired => false)
+        retired_player = RailsAdmin::AbstractModel.new("Player").create(:team_id => rand(99999), :number => 42, :name => "Splinter", :retired => true)
+
+        @delete_ids = [active_player, retired_player].map(&:id)
+        get rails_admin_bulk_delete_path(:model_name => "player", :bulk_ids => @delete_ids)
+
+        response.body.should contain("Leonardo")
+        response.body.should_not contain("Splinter")
+        click_button "Yes, I'm sure"
+
+        Player.exists?(active_player.id).should be_false
+        Player.exists?(retired_player.id).should be_true
+      end
+
     end
 
     # TODO: Authorize bulk_delete and bulk_destroy actions