cancan 1.2.0 → 1.3.2

data/spec/cancan/active_record_additions_spec.rb

@@ -2,16 +2,16 @@ require "spec_helper"
 
 describe CanCan::ActiveRecordAdditions do
   before(:each) do
-    @model_class = Class.new
+    @model_class = Class.new(Person)
     stub(@model_class).scoped { :scoped_stub }
     @model_class.send(:include, CanCan::ActiveRecordAdditions)
     @ability = Object.new
     @ability.extend(CanCan::Ability)
   end
 
-  it "should call where(:id => nil) when no ability is defined so no records are found" do
-    stub(@model_class).where(:id => nil).stub!.joins(nil) { :no_where }
-    @model_class.accessible_by(@ability, :read).should == :no_where
+  it "should call where('true=false') when no ability is defined so no records are found" do
+    stub(@model_class).where('true=false').stub!.joins(nil) { :no_match }
+    @model_class.accessible_by(@ability, :read).should == :no_match
   end
 
   it "should call where with matching ability conditions" do
@@ -25,4 +25,27 @@ describe CanCan::ActiveRecordAdditions do
     stub(@model_class).scoped(:conditions => {:foos => {:bar => 1}}, :joins => [:foo]) { :found_records }
     @model_class.accessible_by(@ability).should == :found_records
   end
+
+  it "should merge association joins and sanitize conditions" do
+    @ability.can :read, @model_class, :foo => {:bar => 1}
+    @ability.can :read, @model_class, :too => {:car => 1, :far => {:bar => 1}}
+
+    condition_variants = [
+        '(toos.far.bar=1 AND toos.car=1) OR (foos.bar=1)', # faked sql sanitizer is stupid ;-)
+        '(toos.car=1 AND toos.far.bar=1) OR (foos.bar=1)'
+    ]
+    joins_variants = [
+        [:foo, {:too => [:far]}],
+        [{:too => [:far]}, :foo]
+    ]
+
+    condition_variants.each do |condition|
+      joins_variants.each do |joins|
+        stub(@model_class).scoped( :conditions => condition, :joins => joins ) { :found_records }
+      end
+    end
+    # @ability.conditions(:read, @model_class).should == '(too.car=1 AND too.far.bar=1) OR (foo.bar=1)'
+    # @ability.associations_hash(:read, @model_class).should == [{:too => [:far]}, :foo]
+    @model_class.accessible_by(@ability).should == :found_records
+  end
 end

data/spec/cancan/can_definition_spec.rb

@@ -7,38 +7,38 @@ describe CanCan::CanDefinition do
   end
 
   it "should return no association joins if none exist" do
-    @can.association_joins.should be_nil
+    @can.associations_hash.should == {}
   end
 
   it "should return no association for joins if just attributes" do
     @conditions[:foo] = :bar
-    @can.association_joins.should be_nil
+    @can.associations_hash.should == {}
   end
 
   it "should return single association for joins" do
     @conditions[:foo] = {:bar => 1}
-    @can.association_joins.should == [:foo]
+    @can.associations_hash.should == {:foo => {}}
   end
 
   it "should return multiple associations for joins" do
     @conditions[:foo] = {:bar => 1}
     @conditions[:test] = {1 => 2}
-    @can.association_joins.map(&:to_s).sort.should == [:foo, :test].map(&:to_s).sort
+    @can.associations_hash.should == {:foo => {}, :test => {}}
   end
 
   it "should return nested associations for joins" do
     @conditions[:foo] = {:bar => {1 => 2}}
-    @can.association_joins.should == [{:foo => [:bar]}]
+    @can.associations_hash.should == {:foo => {:bar => {}}}
   end
 
   it "should return table names in conditions for association joins" do
     @conditions[:foo] = {:bar => 1}
     @conditions[:test] = 1
-    @can.conditions(:tableize => true).should == { :foos => { :bar => 1}, :test => 1 }
+    @can.tableized_conditions.should == {:foos => {:bar => 1}, :test => 1}
   end
 
   it "should return no association joins if conditions is nil" do
     can = CanCan::CanDefinition.new(true, :read, Integer, nil, nil)
-    can.association_joins.should be_nil
+    can.associations_hash.should == {}
   end
 end

data/spec/cancan/controller_additions_spec.rb

@@ -52,20 +52,26 @@ describe CanCan::ControllerAdditions do
     @controller.cannot?(:foo, :bar).should be_true
   end
 
-  it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
+  it "load_and_authorize_resource should setup a before filter which passes call to ControllerResource" do
+    stub(CanCan::ControllerResource).new(@controller, nil, :foo => :bar).mock!.load_and_authorize_resource
     mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
     @controller_class.load_and_authorize_resource :foo => :bar
   end
 
-  it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
+  it "load_and_authorize_resource should properly pass first argument as the resource name" do
+    stub(CanCan::ControllerResource).new(@controller, :project, :foo => :bar).mock!.load_and_authorize_resource
+    mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
+    @controller_class.load_and_authorize_resource :project, :foo => :bar
+  end
+
+  it "authorize_resource should setup a before filter which passes call to ControllerResource" do
+    stub(CanCan::ControllerResource).new(@controller, nil, :foo => :bar).mock!.authorize_resource
     mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
     @controller_class.authorize_resource :foo => :bar, :except => :show
   end
 
-  it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
-    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
+  it "load_resource should setup a before filter which passes call to ControllerResource" do
+    stub(CanCan::ControllerResource).new(@controller, nil, :foo => :bar).mock!.load_resource
     mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
     @controller_class.load_resource :foo => :bar, :only => [:show, :index]
   end

data/spec/cancan/controller_resource_spec.rb

@@ -2,58 +2,250 @@ require "spec_helper"
 
 describe CanCan::ControllerResource do
   before(:each) do
-    @controller = Object.new
+    @params = HashWithIndifferentAccess.new(:controller => "abilities")
+    @controller = Object.new # simple stub for now
+    stub(@controller).params { @params }
   end
 
-  it "should determine model class by constantizing give name" do
-    CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
+  it "should load the resource into an instance variable if params[:id] is specified" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(Ability).find(123) { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
   end
 
-  it "should fetch model through model class and assign it to the instance" do
-    stub(Ability).find(123) { :some_ability }
-    CanCan::ControllerResource.new(@controller, :ability).find(123)
+  it "should not load resource into an instance variable if already set" do
+    @params.merge!(:action => "show", :id => 123)
+    @controller.instance_variable_set(:@ability, :some_ability)
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
 
-  it "should fetch model through parent and assign it to the instance" do
-    parent = Object.new
-    stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
-    CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
+  it "should properly load resource for namespaced controller" do
+    @params.merge!(:controller => "admin/abilities", :action => "show", :id => 123)
+    stub(Ability).find(123) { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+
+  it "should properly load resource for namespaced controller when using '::' for namespace" do
+    @params.merge!(:controller => "Admin::AbilitiesController", :action => "show", :id => 123)
+    stub(Ability).find(123) { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+
+  it "should build a new resource with hash if params[:id] is not specified" do
+    @params.merge!(:action => "create", :ability => {:foo => "bar"})
+    stub(Ability).new("foo" => "bar") { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+
+  it "should build a new resource with no arguments if attribute hash isn't specified" do
+    @params[:action] = "new"
+    mock(Ability).new { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+
+  it "should not build a resource when on index action" do
+    @params[:action] = "index"
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+
+  it "should perform authorization using controller action and loaded model" do
+    @params[:action] = "show"
+    @controller.instance_variable_set(:@ability, :some_resource)
+    stub(@controller).authorize!(:show, :some_resource) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller)
+    lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
+  it "should perform authorization using controller action and non loaded model" do
+    @params[:action] = "show"
+    stub(@controller).authorize!(:show, Ability) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller)
+    lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
+  it "should call load_resource and authorize_resource for load_and_authorize_resource" do
+    @params[:action] = "show"
+    resource = CanCan::ControllerResource.new(@controller)
+    mock(resource).load_resource
+    mock(resource).authorize_resource
+    resource.load_and_authorize_resource
+  end
+
+  it "should not build a resource when on custom collection action" do
+    @params[:action] = "sort"
+    resource = CanCan::ControllerResource.new(@controller, :collection => [:sort, :list])
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+
+  it "should build a resource when on custom new action even when params[:id] exists" do
+    @params.merge!(:action => "build", :id => 123)
+    stub(Ability).new { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller, :new => :build)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+
+  it "should not try to load resource for other action if params[:id] is undefined" do
+    @params[:action] = "list"
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+
+  it "should be a parent resource when name is provided which doesn't match controller" do
+    resource = CanCan::ControllerResource.new(@controller, :person)
+    resource.should be_parent
+  end
+
+  it "should not be a parent resource when name is provided which matches controller" do
+    resource = CanCan::ControllerResource.new(@controller, :ability)
+    resource.should_not be_parent
+  end
+
+  it "should be parent if specified in options" do
+    resource = CanCan::ControllerResource.new(@controller, :ability, {:parent => true})
+    resource.should be_parent
+  end
+
+  it "should not be parent if specified in options" do
+    resource = CanCan::ControllerResource.new(@controller, :person, {:parent => false})
+    resource.should_not be_parent
+  end
+
+  it "should load parent resource through proper id parameter when supplying a resource with a different name" do
+    @params.merge!(:action => "index", :person_id => 123)
+    stub(Person).find(123) { :some_person }
+    resource = CanCan::ControllerResource.new(@controller, :person)
+    resource.load_resource
+    @controller.instance_variable_get(:@person).should == :some_person
+  end
+
+  it "should load parent resource for collection action" do
+    @params.merge!(:action => "index", :person_id => 456)
+    stub(Person).find(456) { :some_person }
+    resource = CanCan::ControllerResource.new(@controller, :person)
+    resource.load_resource
+    @controller.instance_variable_get(:@person).should == :some_person
+  end
+
+  it "should load resource through the association of another parent resource" do
+    @params.merge!(:action => "show", :id => 123)
+    person = Object.new
+    @controller.instance_variable_set(:@person, person)
+    stub(person).abilities.stub!.find(123) { :some_ability }
+    resource = CanCan::ControllerResource.new(@controller, :through => :person)
+    resource.load_resource
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
 
-  it "should build model through model class and assign it to the instance" do
-    stub(Ability).new(123) { :some_ability }
-    CanCan::ControllerResource.new(@controller, :ability).build(123)
+  it "should not load through parent resource if instance isn't loaded" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(Ability).find(123) { :some_ability }
+    resource = CanCan::ControllerResource.new(@controller, :through => :person)
+    resource.load_resource
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
 
-  it "should build model through parent and assign it to the instance" do
-    parent = Object.new
-    stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
-    CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
+  it "should load through first matching if multiple are given" do
+    @params.merge!(:action => "show", :id => 123)
+    person = Object.new
+    @controller.instance_variable_set(:@person, person)
+    stub(person).abilities.stub!.find(123) { :some_ability }
+    resource = CanCan::ControllerResource.new(@controller, :through => [:thing, :person])
+    resource.load_resource
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
 
-  it "should not load resource if instance variable is already provided" do
-    @controller.instance_variable_set(:@ability, :some_ability)
-    CanCan::ControllerResource.new(@controller, :ability).find(123)
+  it "should find record through has_one association with :singleton option" do
+    @params.merge!(:action => "show")
+    person = Object.new
+    @controller.instance_variable_set(:@person, person)
+    stub(person).ability { :some_ability }
+    resource = CanCan::ControllerResource.new(@controller, :through => :person, :singleton => true)
+    resource.load_resource
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
 
-  it "should use the model class option if provided" do
+  it "should build record through has_one association with :singleton option" do
+    @params.merge!(:action => "create", :ability => :ability_attributes)
+    person = Object.new
+    @controller.instance_variable_set(:@person, person)
+    stub(person).build_ability(:ability_attributes) { :new_ability }
+    resource = CanCan::ControllerResource.new(@controller, :through => :person, :singleton => true)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :new_ability
+  end
+
+  it "should only authorize :read action on parent resource" do
+    @params.merge!(:action => "new", :person_id => 123)
+    stub(Person).find(123) { :some_person }
+    stub(@controller).authorize!(:read, :some_person) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :person)
+    lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
+  it "should load the model using a custom class" do
+    @params.merge!(:action => "show", :id => 123)
     stub(Person).find(123) { :some_resource }
-    CanCan::ControllerResource.new(@controller, :ability, nil, :resource => Person).find(123)
+    resource = CanCan::ControllerResource.new(@controller, :class => Person)
+    resource.load_resource
     @controller.instance_variable_get(:@ability).should == :some_resource
   end
 
-  it "should convert string to constant for resource" do
-    CanCan::ControllerResource.new(@controller, :ability, nil, :resource => "Person").model_class.should == Person
+  it "should authorize based on resource name if class is false" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(@controller).authorize!(:show, :ability) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :class => false)
+    lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
+  it "should load and authorize using custom instance name" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(Ability).find(123) { :some_ability }
+    stub(@controller).authorize!(:show, :some_ability) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :instance_name => :custom_ability)
+    lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied)
+    @controller.instance_variable_get(:@custom_ability).should == :some_ability
+  end
+
+  it "should load resource using custom find_by attribute" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(Ability).find_by_name!(123) { :some_resource }
+    resource = CanCan::ControllerResource.new(@controller, :find_by => :name)
+    resource.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+
+  it "should raise ImplementationRemoved when adding :name option" do
+    lambda {
+      CanCan::ControllerResource.new(@controller, :name => :foo)
+    }.should raise_error(CanCan::ImplementationRemoved)
+  end
+
+  it "should raise ImplementationRemoved exception when specifying :resource option since it is no longer used" do
+    lambda {
+      CanCan::ControllerResource.new(@controller, :resource => Person)
+    }.should raise_error(CanCan::ImplementationRemoved)
   end
 
-  it "should raise an exception when specifying :class option since it is no longer used" do
+  it "should raise ImplementationRemoved exception when passing :nested option" do
     lambda {
-      CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person)
+      CanCan::ControllerResource.new(@controller, :nested => :person)
     }.should raise_error(CanCan::ImplementationRemoved)
   end
 end

data/spec/cancan/query_spec.rb

@@ -0,0 +1,107 @@
+require "spec_helper"
+
+describe CanCan::Query do
+  before(:each) do
+    @ability = Object.new
+    @ability.extend(CanCan::Ability)
+  end
+
+  it "should have false conditions if no abilities match" do
+    @ability.query(:destroy, Person).conditions.should == "true=false"
+  end
+
+  it "should return hash for single `can` definition" do
+    @ability.can :read, Person, :blocked => false, :user_id => 1
+    @ability.query(:read, Person).conditions.should == { :blocked => false, :user_id => 1 }
+  end
+
+  it "should merge multiple can definitions into single SQL string joining with OR" do
+    @ability.can :read, Person, :blocked => false
+    @ability.can :read, Person, :admin => true
+    @ability.query(:read, Person).conditions.should == "(admin=true) OR (blocked=false)"
+  end
+
+  it "should merge multiple can definitions into single SQL string joining with OR and AND" do
+    @ability.can :read, Person, :blocked => false, :active => true
+    @ability.can :read, Person, :admin => true
+    @ability.query(:read, Person).conditions.should orderlessly_match("(blocked=false AND active=true) OR (admin=true)")
+  end
+
+  it "should merge multiple can definitions into single SQL string joining with OR and AND" do
+    @ability.can :read, Person, :blocked => false, :active => true
+    @ability.can :read, Person, :admin => true
+    @ability.query(:read, Person).conditions.should orderlessly_match("(blocked=false AND active=true) OR (admin=true)")
+  end
+
+  it "should return false conditions for cannot clause" do
+    @ability.cannot :read, Person
+    @ability.query(:read, Person).conditions.should == "true=false"
+  end
+
+  it "should return SQL for single `can` definition in front of default `cannot` condition" do
+    @ability.cannot :read, Person
+    @ability.can :read, Person, :blocked => false, :user_id => 1
+    @ability.query(:read, Person).conditions.should orderlessly_match("blocked=false AND user_id=1")
+  end
+
+  it "should return true condition for single `can` definition in front of default `can` condition" do
+    @ability.can :read, Person
+    @ability.can :read, Person, :blocked => false, :user_id => 1
+    @ability.query(:read, Person).conditions.should == 'true=true'
+  end
+
+  it "should return false condition for single `cannot` definition" do
+    @ability.cannot :read, Person, :blocked => true, :user_id => 1
+    @ability.query(:read, Person).conditions.should == 'true=false'
+  end
+
+  it "should return `false condition` for single `cannot` definition in front of default `cannot` condition" do
+    @ability.cannot :read, Person
+    @ability.cannot :read, Person, :blocked => true, :user_id => 1
+    @ability.query(:read, Person).conditions.should == 'true=false'
+  end
+
+  it "should return `not (sql)` for single `cannot` definition in front of default `can` condition" do
+    @ability.can :read, Person
+    @ability.cannot :read, Person, :blocked => true, :user_id => 1
+    @ability.query(:read, Person).conditions.should orderlessly_match("not (blocked=true AND user_id=1)")
+  end
+
+  it "should return appropriate sql conditions in complex case" do
+    @ability.can :read, Person
+    @ability.can :manage, Person, :id => 1
+    @ability.can :update, Person, :manager_id => 1
+    @ability.cannot :update, Person, :self_managed => true
+    @ability.query(:update, Person).conditions.should == 'not (self_managed=true) AND ((manager_id=1) OR (id=1))'
+    @ability.query(:manage, Person).conditions.should == {:id=>1}
+    @ability.query(:read, Person).conditions.should == 'true=true'
+  end
+
+  it "should have nil joins if no can definitions" do
+    @ability.query(:read, Person).joins.should be_nil
+  end
+
+  it "should have nil joins if no nested hashes specified in conditions" do
+    @ability.can :read, Person, :blocked => false
+    @ability.can :read, Person, :admin => true
+    @ability.query(:read, Person).joins.should be_nil
+  end
+
+  it "should merge separate joins into a single array" do
+    @ability.can :read, Person, :project => { :blocked => false }
+    @ability.can :read, Person, :company => { :admin => true }
+    @ability.query(:read, Person).joins.inspect.should orderlessly_match([:company, :project].inspect)
+  end
+
+  it "should merge same joins into a single array" do
+    @ability.can :read, Person, :project => { :blocked => false }
+    @ability.can :read, Person, :project => { :admin => true }
+    @ability.query(:read, Person).joins.should == [:project]
+  end
+
+  it "should merge complex, nested joins" do
+    @ability.can :read, Person, :project => { :bar => {:test => true} }, :company => { :bar => {:test => true} }
+    @ability.can :read, Person, :project => { :foo => {:bar => true}, :bar => {:zip => :zap} }
+    @ability.query(:read, Person).joins.inspect.should orderlessly_match([{:project => [:bar, :foo]}, {:company => [:bar]}].inspect)
+  end
+end