Debugging ControllerPermission.load_object in in_controller:rb

stffn · Jan 14, 2014 · a4ded5c · a4ded5c
1 parent e21a43b
commit a4ded5c
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 10 deletions.
diff --git a/README.rdoc b/README.rdoc
@@ -21,6 +21,7 @@ Plugin features
   * Authorize CRUD (Create, Read, Update, Delete) activities
   * Query rewriting to automatically only fetch authorized records
 * DSL for specifying Authorization rules in an authorization configuration
+* Support for Rails 4, with backwards compatibility through Rails 2
 
 
 Requirements
@@ -92,6 +93,15 @@ filter_access_to with the appropriate parameters to protect the CRUD methods.
 See Authorization::AuthorizationInController::ClassMethods for options on
 nested resources and custom member and collection actions.
 
+By default, declarative_authorization will enable filter_resource_access compatibility with strong_parameters in Rails 4.  If you want to disable this behavior, you can use the `:strong_parameters` option.
+
+    class EmployeesController < ApplicationController
+      filter_resource_access :strong_parameters => false
+      ...
+    end
+
+Simalarly, you can use `:strong_parameters => true` if you are using strong_parameters in Rails 3.
+
 If you prefer less magic or your controller has no resemblance with the resource
 controllers, directly calling filter_access_to may be the better option.  Examples
 are given in the following.  E.g. the privilege index users is required for

diff --git a/lib/declarative_authorization/in_controller.rb b/lib/declarative_authorization/in_controller.rb
@@ -296,12 +296,16 @@ def filter_access_to (*args, &filter_block)
           :context => nil,
           :attribute_check => false,
           :model => nil,
-          :load_method => nil
+          :load_method => nil,
+          :strong_parameters => nil
         }.merge!(options)
         privilege = options[:require]
         context = options[:context]
         actions = args.flatten
 
+        puts "filter_access_to strong_parameters = " + options[:strong_parameters].inspect
+        puts "filter_access_to options = " + options.inspect + args.inspect if options[:strong_parameters]
+
         # prevent setting filter_access_filter multiple times
         skip_before_filter :filter_access_filter
         before_filter :filter_access_filter
@@ -311,8 +315,8 @@ def filter_access_to (*args, &filter_block)
         end
         filter_access_permissions << 
           ControllerPermission.new(actions, privilege, context,
-                                   options[:attribute_check],
                                    options[:strong_parameters],
+                                   options[:attribute_check],
                                    options[:model],
                                    options[:load_method],
                                    filter_block)
@@ -486,6 +490,8 @@ def filter_resource_access(options = {})
         }.merge(options)
         options.merge!({ :strong_parameters => true }) if Rails.version >= '4' && options[:strong_parameters] == nil
 
+        puts "options[:strong_parameters] = " + options[:strong_parameters].inspect
+
         new_actions = actions_from_option( options[:new] ).merge(
             actions_from_option(options[:additional_new]) )
         members = actions_from_option(options[:member]).merge(
@@ -605,8 +611,8 @@ def actions_from_option (option) # :nodoc:
   end
 
   class ControllerPermission # :nodoc:
-    attr_reader :actions, :privilege, :context, :attribute_check
-    def initialize (actions, privilege, context, attribute_check = false, strong_params = nil,
+    attr_reader :actions, :privilege, :context, :attribute_check, :strong_params
+    def initialize (actions, privilege, context, strong_params, attribute_check = false,
                     load_object_model = nil, load_object_method = nil,
                     filter_block = nil)
       @actions = actions.to_set
@@ -617,6 +623,7 @@ def initialize (actions, privilege, context, attribute_check = false, strong_par
       @filter_block = filter_block
       @attribute_check = attribute_check
       @strong_params = strong_params
+      puts "ControllerPermission initialize strong_params = " + @strong_params.inspect
     end
 
     def matches? (action_name)
@@ -642,7 +649,7 @@ def remove_actions (actions)
       self
     end
 
-     private
+    private
     def load_object(contr)
       if @load_object_method and @load_object_method.is_a?(Symbol)
         contr.send(@load_object_method)
@@ -655,6 +662,7 @@ def load_object(contr)
         object = contr.instance_variable_get(instance_var)
         unless object
           begin
+            puts "@strong_params = " + @strong_params.inspect
             object = @strong_params ? load_object_model.find_or_initialize_by(:id => contr.params[:id]) : load_object_model.find(contr.params[:id])
           rescue => e
             contr.logger.debug("filter_access_to tried to find " +
@@ -670,3 +678,4 @@ def load_object(contr)
     end
   end
 end
+
diff --git a/test/controller_filter_resource_access_test.rb b/test/controller_filter_resource_access_test.rb
@@ -523,7 +523,7 @@ class StrongResourcesController < MocksController
     def self.controller_name
       "strong_resources"
     end
-    filter_resource_access
+    filter_resource_access :strong_parameters => true
     define_resource_actions
 
     private
@@ -532,23 +532,39 @@ def strong_resource_params
     end
   end
   class StrongResourcesControllerTest < ActionController::TestCase
-    def test_new_strong_resource
+    def test_still_authorized_with_strong_params
       reader = Authorization::Reader::DSLReader.new
       reader.parse %{
         authorization do
           role :allowed_role do
-            has_permission_on :strong_resources, :to => :new do
+            has_permission_on :strong_resources, :to => :show do
               if_attribute :id => "1"
             end
           end
         end
       }
 
       allowed_user = MockUser.new(:allowed_role)
-      request!(allowed_user, :new, reader, :id => "2")
+      request!(allowed_user, :show, reader, :id => "2")
       assert !@controller.authorized?
-      request!(MockUser.new(:allowed_role), :new, reader, :id => "1", :clear => [:@strong_resource])
+      request!(allowed_user, :show, reader, :id => "1", :clear => [:@strong_resource])
       assert @controller.authorized?
     end
+
+    def test_create_strong_resource
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :allowed_role do
+            has_permission_on :strong_resources, :to => :create
+          end
+        end
+      }
+
+      allowed_user = MockUser.new(:allowed_role)
+      request!(allowed_user, :create, reader, :strong_resource => {:id => "1"}, :clear => [:@strong_resource])
+      assert @controller.authorized?
+      assert assigns :strong_resource
+    end
   end
 end
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -16,6 +16,14 @@
 # rails 2.3 and ruby 1.9.3 fix
 MissingSourceFile::REGEXPS.push([/^cannot load such file -- (.+)$/i, 1])
 
+# Silence Rails 4 deprecation warnings in test suite
+# TODO: Model.scoped is deprecated
+# TODO: Eager loading Post.includes(:comments).where("comments.title = 'foo'") becomes Post.includes(:comments).where("comments.title = 'foo'").references(:comments)
+# TODO: has_many conditions is deprecated for a scoped block
+if Rails.version >= '4'
+  ActiveSupport::Deprecation.silenced = true
+end
+
 puts "Testing against rails #{Rails::VERSION::STRING}"
 
 RAILS_ROOT = File.dirname(__FILE__)