cancan 1.4.1 → 1.5.0.beta1

data/spec/cancan/ability_spec.rb

@@ -32,7 +32,7 @@ describe CanCan::Ability do
     @ability.can?(:read, Symbol).should be_true
   end
 
-  it "should pass to previous can definition, if block returns false or nil" do
+  it "should pass to previous rule, if block returns false or nil" do
     @ability.can :read, Symbol
     @ability.can :read, Integer do |i|
       i < 5
@@ -144,7 +144,7 @@ describe CanCan::Ability do
     @ability.can?(:update, 123).should be_false
   end
 
-  it "should support custom objects in the can definition" do
+  it "should support custom objects in the rule" do
     @ability.can :read, :stats
     @ability.can?(:read, :stats).should be_true
     @ability.can?(:update, :stats).should be_false
@@ -165,7 +165,7 @@ describe CanCan::Ability do
     @ability.can?(:read, 123).should be_false
   end
 
-  it "should pass to previous can definition, if block returns false or nil" do
+  it "should pass to previous rule, if block returns false or nil" do
     @ability.can :read, :all
     @ability.cannot :read, Integer do |int|
       int > 10 ? nil : ( int > 5 )
@@ -343,6 +343,14 @@ describe CanCan::Ability do
     end
   end
 
+  it "should determine model adapter class by asking AbstractAdapter" do
+    model_class = Object.new
+    adapter_class = Object.new
+    stub(CanCan::ModelAdapters::AbstractAdapter).adapter_class(model_class) { adapter_class }
+    stub(adapter_class).new(model_class, []) { :adapter_instance }
+    @ability.model_adapter(model_class, :read).should == :adapter_instance
+  end
+
   describe "unauthorized message" do
     after(:each) do
       I18n.backend = nil

data/spec/cancan/controller_additions_spec.rb

@@ -83,4 +83,34 @@ describe CanCan::ControllerAdditions do
     stub(@controller.class).ancestors { ["InheritedResources::Actions"] }
     @controller.class.cancan_resource_class.should == CanCan::InheritedResource
   end
+
+  it "cancan_skipper should be an empty hash with :authorize and :load options and remember changes" do
+    @controller_class.cancan_skipper.should == {:authorize => {}, :load => {}}
+    @controller_class.cancan_skipper[:load] = true
+    @controller_class.cancan_skipper[:load].should == true
+  end
+
+  it "skip_authorize_resource should add itself to the cancan skipper with given model name and options" do
+    @controller_class.skip_authorize_resource(:project, :only => [:index, :show])
+    @controller_class.cancan_skipper[:authorize][:project].should == {:only => [:index, :show]}
+    @controller_class.skip_authorize_resource(:only => [:index, :show])
+    @controller_class.cancan_skipper[:authorize][nil].should == {:only => [:index, :show]}
+    @controller_class.skip_authorize_resource(:article)
+    @controller_class.cancan_skipper[:authorize][:article].should == {}
+  end
+
+  it "skip_load_resource should add itself to the cancan skipper with given model name and options" do
+    @controller_class.skip_load_resource(:project, :only => [:index, :show])
+    @controller_class.cancan_skipper[:load][:project].should == {:only => [:index, :show]}
+    @controller_class.skip_load_resource(:only => [:index, :show])
+    @controller_class.cancan_skipper[:load][nil].should == {:only => [:index, :show]}
+    @controller_class.skip_load_resource(:article)
+    @controller_class.cancan_skipper[:load][:article].should == {}
+  end
+
+  it "skip_load_and_authore_resource should add itself to the cancan skipper with given model name and options" do
+    @controller_class.skip_load_and_authorize_resource(:project, :only => [:index, :show])
+    @controller_class.cancan_skipper[:load][:project].should == {:only => [:index, :show]}
+    @controller_class.cancan_skipper[:authorize][:project].should == {:only => [:index, :show]}
+  end
 end

data/spec/cancan/controller_resource_spec.rb

@@ -3,10 +3,12 @@ require "spec_helper"
 describe CanCan::ControllerResource do
   before(:each) do
     @params = HashWithIndifferentAccess.new(:controller => "projects")
-    @controller = Object.new # simple stub for now
+    @controller_class = Class.new
+    @controller = @controller_class.new
     @ability = Ability.new(nil)
     stub(@controller).params { @params }
     stub(@controller).current_ability { @ability }
+    stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
   end
 
   it "should load the resource into an instance variable if params[:id] is specified" do
@@ -91,6 +93,22 @@ describe CanCan::ControllerResource do
     @controller.instance_variable_defined?(:@projects).should be_false
   end
 
+  it "should not authorize single resource in collection action" do
+    @params[:action] = "index"
+    @controller.instance_variable_set(:@project, :some_project)
+    stub(@controller).authorize!(:index, Project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller)
+    lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
+  it "should authorize parent resource in collection action" do
+    @params[:action] = "index"
+    @controller.instance_variable_set(:@category, :some_category)
+    stub(@controller).authorize!(:read, :some_category) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
+    lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
   it "should perform authorization using controller action and loaded model" do
     @params[:action] = "show"
     @controller.instance_variable_set(:@project, :some_project)
@@ -245,7 +263,7 @@ describe CanCan::ControllerResource do
     @params.merge!(:action => "create", :project => {:name => "foobar"})
     category = Object.new
     @controller.instance_variable_set(:@category, category)
-    stub(category).build_project { Project.new }
+    stub(category).build_project { |attributes| Project.new(attributes) }
     resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true)
     resource.load_resource
     @controller.instance_variable_get(:@project).name.should == "foobar"
@@ -323,4 +341,52 @@ describe CanCan::ControllerResource do
       CanCan::ControllerResource.new(@controller, :nested => :project)
     }.should raise_error(CanCan::ImplementationRemoved)
   end
+
+  it "should skip resource behavior for :only actions in array" do
+    stub(@controller_class).cancan_skipper { {:load => {nil => {:only => [:index, :show]}}} }
+    @params.merge!(:action => "index")
+    CanCan::ControllerResource.new(@controller).skip?(:load).should be_true
+    CanCan::ControllerResource.new(@controller, :some_resource).skip?(:load).should be_false
+    @params.merge!(:action => "show")
+    CanCan::ControllerResource.new(@controller).skip?(:load).should be_true
+    @params.merge!(:action => "other_action")
+    CanCan::ControllerResource.new(@controller).skip?(:load).should be_false
+  end
+
+  it "should skip resource behavior for :only one action on resource" do
+    stub(@controller_class).cancan_skipper { {:authorize => {:project => {:only => :index}}} }
+    @params.merge!(:action => "index")
+    CanCan::ControllerResource.new(@controller).skip?(:authorize).should be_false
+    CanCan::ControllerResource.new(@controller, :project).skip?(:authorize).should be_true
+    @params.merge!(:action => "other_action")
+    CanCan::ControllerResource.new(@controller, :project).skip?(:authorize).should be_false
+  end
+
+  it "should skip resource behavior :except actions in array" do
+    stub(@controller_class).cancan_skipper { {:load => {nil => {:except => [:index, :show]}}} }
+    @params.merge!(:action => "index")
+    CanCan::ControllerResource.new(@controller).skip?(:load).should be_false
+    @params.merge!(:action => "show")
+    CanCan::ControllerResource.new(@controller).skip?(:load).should be_false
+    @params.merge!(:action => "other_action")
+    CanCan::ControllerResource.new(@controller).skip?(:load).should be_true
+    CanCan::ControllerResource.new(@controller, :some_resource).skip?(:load).should be_false
+  end
+
+  it "should skip resource behavior :except one action on resource" do
+    stub(@controller_class).cancan_skipper { {:authorize => {:project => {:except => :index}}} }
+    @params.merge!(:action => "index")
+    CanCan::ControllerResource.new(@controller, :project).skip?(:authorize).should be_false
+    @params.merge!(:action => "other_action")
+    CanCan::ControllerResource.new(@controller).skip?(:authorize).should be_false
+    CanCan::ControllerResource.new(@controller, :project).skip?(:authorize).should be_true
+  end
+
+  it "should skip loading and authorization" do
+    stub(@controller_class).cancan_skipper { {:authorize => {nil => {}}, :load => {nil => {}}} }
+    @params.merge!(:action => "new")
+    resource = CanCan::ControllerResource.new(@controller)
+    lambda { resource.load_and_authorize_resource }.should_not raise_error
+    @controller.instance_variable_get(:@project).should be_nil
+  end
 end

data/spec/cancan/inherited_resource_spec.rb

@@ -3,10 +3,12 @@ require "spec_helper"
 describe CanCan::InheritedResource do
   before(:each) do
     @params = HashWithIndifferentAccess.new(:controller => "projects")
-    @controller = Object.new # simple stub for now
+    @controller_class = Class.new
+    @controller = @controller_class.new
     @ability = Ability.new(nil)
     stub(@controller).params { @params }
     stub(@controller).current_ability { @ability }
+    stub(@controller_class).cancan_skipper { {:authorize => {}, :load => {}} }
   end
 
   it "show should load resource through @controller.resource" do

data/spec/cancan/model_adapters/active_record_adapter_spec.rb

@@ -0,0 +1,185 @@
+if ENV["MODEL_ADAPTER"].nil? || ENV["MODEL_ADAPTER"] == "active_record"
+  require "spec_helper"
+
+  RSpec.configure do |config|
+    config.extend WithModel
+  end
+
+  ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":memory:")
+
+  describe CanCan::ModelAdapters::ActiveRecordAdapter do
+    with_model :article do
+      table do |t|
+        t.boolean "published"
+        t.boolean "secret"
+      end
+      model do
+        has_many :comments
+      end
+    end
+
+    with_model :comment do
+      table do |t|
+        t.boolean "spam"
+        t.integer "article_id"
+      end
+      model do
+        belongs_to :article
+      end
+    end
+
+    before(:each) do
+      Article.delete_all
+      Comment.delete_all
+      @ability = Object.new
+      @ability.extend(CanCan::Ability)
+      @article_table = Article.table_name
+      @comment_table = Comment.table_name
+    end
+
+    it "should be for only active record classes" do
+      CanCan::ModelAdapters::ActiveRecordAdapter.should_not be_for_class(Object)
+      CanCan::ModelAdapters::ActiveRecordAdapter.should be_for_class(Article)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(Article).should == CanCan::ModelAdapters::ActiveRecordAdapter
+    end
+
+    it "should not fetch any records when no abilities are defined" do
+      Article.create!
+      Article.accessible_by(@ability).should be_empty
+    end
+
+    it "should fetch all articles when one can read all" do
+      @ability.can :read, Article
+      article = Article.create!
+      Article.accessible_by(@ability).should == [article]
+    end
+
+    it "should fetch only the articles that are published" do
+      @ability.can :read, Article, :published => true
+      article1 = Article.create!(:published => true)
+      article2 = Article.create!(:published => false)
+      Article.accessible_by(@ability).should == [article1]
+    end
+
+    it "should fetch any articles which are published or secret" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, :secret => true
+      article1 = Article.create!(:published => true, :secret => false)
+      article2 = Article.create!(:published => true, :secret => true)
+      article3 = Article.create!(:published => false, :secret => true)
+      article4 = Article.create!(:published => false, :secret => false)
+      Article.accessible_by(@ability).should == [article1, article2, article3]
+    end
+
+    it "should fetch only the articles that are published and not secret" do
+      @ability.can :read, Article, :published => true
+      @ability.cannot :read, Article, :secret => true
+      article1 = Article.create!(:published => true, :secret => false)
+      article2 = Article.create!(:published => true, :secret => true)
+      article3 = Article.create!(:published => false, :secret => true)
+      article4 = Article.create!(:published => false, :secret => false)
+      Article.accessible_by(@ability).should == [article1]
+    end
+
+    it "should only read comments for articles which are published" do
+      @ability.can :read, Comment, :article => { :published => true }
+      comment1 = Comment.create!(:article => Article.create!(:published => true))
+      comment2 = Comment.create!(:article => Article.create!(:published => false))
+      Comment.accessible_by(@ability).should == [comment1]
+    end
+
+    it "should allow conditions in SQL and merge with hash conditions" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, ["secret=?", true]
+      article1 = Article.create!(:published => true, :secret => false)
+      article4 = Article.create!(:published => false, :secret => false)
+      Article.accessible_by(@ability).should == [article1]
+    end
+
+    it "should not allow to fetch records when ability with just block present" do
+      @ability.can :read, Article do
+        false
+      end
+      lambda { Article.accessible_by(@ability) }.should raise_error(CanCan::Error)
+    end
+
+    it "should not allow to check ability on object against SQL conditions without block" do
+      @ability.can :read, Article, ["secret=?", true]
+      lambda { @ability.can? :read, Article.new }.should raise_error(CanCan::Error)
+    end
+
+    it "should have false conditions if no abilities match" do
+      @ability.model_adapter(Article, :read).conditions.should == "'t'='f'"
+    end
+
+    it "should return false conditions for cannot clause" do
+      @ability.cannot :read, Article
+      @ability.model_adapter(Article, :read).conditions.should == "'t'='f'"
+    end
+
+    it "should return SQL for single `can` definition in front of default `cannot` condition" do
+      @ability.cannot :read, Article
+      @ability.can :read, Article, :published => false, :secret => true
+      @ability.model_adapter(Article, :read).conditions.should orderlessly_match(%Q["#{@article_table}"."published" = 'f' AND "#{@article_table}"."secret" = 't'])
+    end
+
+    it "should return true condition for single `can` definition in front of default `can` condition" do
+      @ability.can :read, Article
+      @ability.can :read, Article, :published => false, :secret => true
+      @ability.model_adapter(Article, :read).conditions.should  == "'t'='t'"
+    end
+
+    it "should return `false condition` for single `cannot` definition in front of default `cannot` condition" do
+      @ability.cannot :read, Article
+      @ability.cannot :read, Article, :published => false, :secret => true
+      @ability.model_adapter(Article, :read).conditions.should  == "'t'='f'"
+    end
+
+    it "should return `not (sql)` for single `cannot` definition in front of default `can` condition" do
+      @ability.can :read, Article
+      @ability.cannot :read, Article, :published => false, :secret => true
+      @ability.model_adapter(Article, :read).conditions.should orderlessly_match(%Q["not (#{@article_table}"."published" = 'f' AND "#{@article_table}"."secret" = 't')])
+    end
+
+    it "should return appropriate sql conditions in complex case" do
+      @ability.can :read, Article
+      @ability.can :manage, Article, :id => 1
+      @ability.can :update, Article, :published => true
+      @ability.cannot :update, Article, :secret => true
+      @ability.model_adapter(Article, :update).conditions.should == %Q[not ("#{@article_table}"."secret" = 't') AND (("#{@article_table}"."published" = 't') OR ("#{@article_table}"."id" = 1))]
+      @ability.model_adapter(Article, :manage).conditions.should == {:id => 1}
+      @ability.model_adapter(Article, :read).conditions.should == "'t'='t'"
+    end
+
+    it "should not forget conditions when calling with SQL string" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, ['secret=?', false]
+      adapter = @ability.model_adapter(Article, :read)
+      2.times do
+        adapter.conditions.should == %Q[(secret='f') OR ("#{@article_table}"."published" = 't')]
+      end
+    end
+
+    it "should have nil joins if no rules" do
+      @ability.model_adapter(Article, :read).joins.should be_nil
+    end
+
+    it "should have nil joins if no nested hashes specified in conditions" do
+      @ability.can :read, Article, :published => false
+      @ability.can :read, Article, :secret => true
+      @ability.model_adapter(Article, :read).joins.should be_nil
+    end
+
+    it "should merge separate joins into a single array" do
+      @ability.can :read, Article, :project => { :blocked => false }
+      @ability.can :read, Article, :company => { :admin => true }
+      @ability.model_adapter(Article, :read).joins.inspect.should orderlessly_match([:company, :project].inspect)
+    end
+
+    it "should merge same joins into a single array" do
+      @ability.can :read, Article, :project => { :blocked => false }
+      @ability.can :read, Article, :project => { :admin => true }
+      @ability.model_adapter(Article, :read).joins.should == [:project]
+    end
+  end
+end

data/spec/cancan/model_adapters/data_mapper_adapter_spec.rb

@@ -0,0 +1,115 @@
+if ENV["MODEL_ADAPTER"] == "data_mapper"
+  require "spec_helper"
+
+  DataMapper.setup(:default, 'sqlite::memory:')
+
+  class Article
+    include DataMapper::Resource
+    property :id, Serial
+    property :published, Boolean, :default => false
+    property :secret, Boolean, :default => false
+    property :priority, Integer
+    has n, :comments
+  end
+
+  class Comment
+    include DataMapper::Resource
+    property :id, Serial
+    property :spam, Boolean, :default => false
+    belongs_to :article
+  end
+
+  DataMapper.finalize
+  DataMapper.auto_migrate!
+
+  describe CanCan::ModelAdapters::DataMapperAdapter do
+    before(:each) do
+      Article.destroy
+      Comment.destroy
+      @ability = Object.new
+      @ability.extend(CanCan::Ability)
+    end
+
+    it "should be for only data mapper classes" do
+      CanCan::ModelAdapters::DataMapperAdapter.should_not be_for_class(Object)
+      CanCan::ModelAdapters::DataMapperAdapter.should be_for_class(Article)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(Article).should == CanCan::ModelAdapters::DataMapperAdapter
+    end
+
+    it "should not fetch any records when no abilities are defined" do
+      Article.create
+      Article.accessible_by(@ability).should be_empty
+    end
+
+    it "should fetch all articles when one can read all" do
+      @ability.can :read, Article
+      article = Article.create
+      Article.accessible_by(@ability).should == [article]
+    end
+
+    it "should fetch only the articles that are published" do
+      @ability.can :read, Article, :published => true
+      article1 = Article.create(:published => true)
+      article2 = Article.create(:published => false)
+      Article.accessible_by(@ability).should == [article1]
+    end
+
+    it "should fetch any articles which are published or secret" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, :secret => true
+      article1 = Article.create(:published => true, :secret => false)
+      article2 = Article.create(:published => true, :secret => true)
+      article3 = Article.create(:published => false, :secret => true)
+      article4 = Article.create(:published => false, :secret => false)
+      Article.accessible_by(@ability).should == [article1, article2, article3]
+    end
+
+    it "should fetch only the articles that are published and not secret" do
+      pending "the `cannot` may require some custom SQL, maybe abstract out from Active Record adapter"
+      @ability.can :read, Article, :published => true
+      @ability.cannot :read, Article, :secret => true
+      article1 = Article.create(:published => true, :secret => false)
+      article2 = Article.create(:published => true, :secret => true)
+      article3 = Article.create(:published => false, :secret => true)
+      article4 = Article.create(:published => false, :secret => false)
+      Article.accessible_by(@ability).should == [article1]
+    end
+
+    it "should only read comments for articles which are published" do
+      @ability.can :read, Comment, :article => { :published => true }
+      comment1 = Comment.create(:article => Article.create!(:published => true))
+      comment2 = Comment.create(:article => Article.create!(:published => false))
+      Comment.accessible_by(@ability).should == [comment1]
+    end
+
+    it "should allow conditions in SQL and merge with hash conditions" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, ["secret=?", true]
+      article1 = Article.create(:published => true, :secret => false)
+      article4 = Article.create(:published => false, :secret => false)
+      Article.accessible_by(@ability).should == [article1]
+    end
+
+    it "should match gt comparison" do
+      @ability.can :read, Article, :priority.gt => 3
+      article1 = Article.create(:priority => 4)
+      article2 = Article.create(:priority => 3)
+      Article.accessible_by(@ability).should == [article1]
+      @ability.should be_able_to(:read, article1)
+      @ability.should_not be_able_to(:read, article2)
+    end
+
+    it "should match gte comparison" do
+      @ability.can :read, Article, :priority.gte => 3
+      article1 = Article.create(:priority => 4)
+      article2 = Article.create(:priority => 3)
+      article3 = Article.create(:priority => 2)
+      Article.accessible_by(@ability).should == [article1, article2]
+      @ability.should be_able_to(:read, article1)
+      @ability.should be_able_to(:read, article2)
+      @ability.should_not be_able_to(:read, article3)
+    end
+
+    # TODO: add more comparison specs
+  end
+end