cancan 1.4.0.beta1 → 1.4.0

data/CHANGELOG.rdoc

@@ -1,4 +1,24 @@
-1.4.0 (not yet released)
+1.4.0 (October 5, 2010)
+
+* Adding Gemfile; to get specs running just +bundle+ and +rake+ - see issue #163
+
+* Stop at 'cannot' definition when there are no conditions - see issue #161
+
+* The :through option will now call a method with that name if instance variable doesn't exist - see issue #146
+
+* Adding :shallow option to load_resource to bring back old behavior of fetching a child without a parent
+
+* Raise AccessDenied error when loading a child and parent resource isn't found
+
+* Abilities defined on a module will apply to anything that includes that module - see issue #150 and #152
+
+* Abilities can be defined with a string of SQL in addition to a block so accessible_by works with a block - see issue #150
+
+* Adding better support for InheritedResource - see issue #23
+
+* Loading the collection instance variable (for index action) using accessible_by - see issue #137
+
+* Adding action and subject variables to I18n unauthorized message - closes #142
 
 * Adding check_authorization and skip_authorization controller class methods to ensure authorization is performed (thanks justinko) - see issue #135
 

data/Gemfile

@@ -0,0 +1,2 @@
+source "http://rubygems.org"
+gemspec

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 Ryan Bates
+Copyright (c) 2010 Ryan Bates
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -2,29 +2,29 @@
 
 Wiki[http://wiki.github.com/ryanb/cancan] | RDocs[http://rdoc.info/projects/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan]
 
-CanCan is an authorization solution for Ruby on Rails for restricting what a given user is allowed to access throughout the application. It does not care how your user roles are defined, it simply focusses on keeping permission logic in a single location (the +Ability+ class) so it is not duplicated across controllers, views, and database queries.
-
-By default, the +current_user+ method is required, so if you have not already, set up some authentication (such as Authlogic[http://github.com/binarylogic/authlogic] or Devise[http://github.com/plataformatec/devise]). See {Changing Defaults}[http://wiki.github.com/ryanb/cancan/changing-defaults] if you need different behavior.
+CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the +Ability+ class) and not duplicated across controllers, views, and database queries.
 
 
 == Installation
 
-To install CanCan, include the gem in the environment.rb in Rails 2.3.
+In <b>Rails 3</b>, add this to your Gemfile.
 
-  config.gem "cancan"
+  gem "cancan"
 
-Or the Gemfile in Rails 3.
+In <b>Rails 2</b>, add this to your environment.rb file.
 
-  gem "cancan"
+  config.gem "cancan"
 
-Alternatively it can be installed as a plugin.
+Alternatively, you can install it as a plugin.
 
-  script/plugin install git://github.com/ryanb/cancan.git
+  rails plugin install git://github.com/ryanb/cancan.git
 
 
 == Getting Started
 
-First, define a class called +Ability+ in "models/ability.rb" or anywhere else in the load path. It should look something like this.
+CanCan expects a +current_user+ method to exist. If you have not already, set up some authentication (such as Authlogic[http://github.com/binarylogic/authlogic] or Devise[http://github.com/plataformatec/devise]). See {Changing Defaults}[http://wiki.github.com/ryanb/cancan/changing-defaults] if you need different behavior.
+
+Next create a class called +Ability+ in "models/ability.rb" or anywhere else in the load path. It should look similar to this.
 
   class Ability
     include CanCan::Ability
@@ -38,7 +38,7 @@ First, define a class called +Ability+ in "models/ability.rb" or anywhere else i
     end
   end
 
-This is where all permissions will go. See the "Defining Abilities" section below for more information.
+The +current_user+ is passed in to this method which is where the abilities are defined. See the "Defining Abilities" section below for more information.
 
 The current user's permissions can be accessed using the "can?" and "cannot?" methods in the view and controller.
 
@@ -67,11 +67,11 @@ Setting this for every action can be tedious, therefore the +load_and_authorize_
 
 See {Authorizing Controller Actions}[http://wiki.github.com/ryanb/cancan/authorizing-controller-actions] for more information
 
-If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the +ApplicationController+.
+If the user authorization fails, a <tt>CanCan::AccessDenied</tt> exception will be raised. You can catch this and modify its behavior in the +ApplicationController+.
 
   class ApplicationController < ActionController::Base
     rescue_from CanCan::AccessDenied do |exception|
-      flash[:error] = exception.message
+      flash[:alert] = exception.message
       redirect_to root_url
     end
   end
@@ -81,7 +81,7 @@ See {Exception Handling}[http://wiki.github.com/ryanb/cancan/exception-handling]
 
 == Defining Abilities
 
-As shown above, the +Ability+ class is where all user permissions are defined. The user model is passed into the initialize method so the permissions can be modified based on any user attributes. CanCan makes no assumptions about how roles are handled in your application. See {Role Based Authorization}[http://wiki.github.com/ryanb/cancan/role-based-authorization] for an example.
+As shown above, the +Ability+ class is where all user permissions are defined. The current user model is passed into the initialize method so the permissions can be modified based on any user attributes. CanCan makes no assumption about how roles are handled in your application. See {Role Based Authorization}[http://wiki.github.com/ryanb/cancan/role-based-authorization] for an example.
 
 The +can+ method is used to define permissions and requires two arguments. The first one is the action you're setting the permission for, the second one is the class of object you're setting it on.
 
@@ -97,7 +97,7 @@ Use :+manage+ to represent any action and :+all+ to represent any class. Here ar
   can :read, :all        # has permission to read any model
   can :manage, :all      # has permission to do anything to any model
 
-You can pass a hash of conditions as the third argument to further restrict what the user is able to access. Here the user will only have permission to read active projects which he owns.
+You can pass a hash of conditions as the third argument to further define what the user is able to access. Here the user will only have permission to read active projects which he owns.
 
   can :read, Project, :active => true, :user_id => user.id
 
@@ -106,10 +106,10 @@ See {Defining Abilities with Hashes}[http://wiki.github.com/ryanb/cancan/definin
 Blocks can also be used if you need more control.
 
   can :update, Project do |project|
-    project && project.groups.include?(user.group)
+    project.groups.include?(user.group)
   end
 
-If the block returns true then the user has that :+update+ ability for that project, otherwise he will be denied access. See {Defining Abilities with Blocks}[http://wiki.github.com/ryanb/cancan/defining-abilities-with-blocks] for more information.
+If the block returns true then the user has that ability for that project, otherwise he will be denied access. See {Defining Abilities with Blocks}[http://wiki.github.com/ryanb/cancan/defining-abilities-with-blocks] for more information.
 
 
 == Aliasing Actions
@@ -120,7 +120,7 @@ You will usually be working with four actions when defining and checking permiss
   alias_action :new, :to => :create
   alias_action :edit, :to => :update
 
-Notice the +edit+ action is aliased to +update+. If the user is able to update a record he also has permission to edit it. You can define your own aliases in the +Ability+ class
+Notice the +edit+ action is aliased to +update+. This means if the user is able to update a record he also has permission to edit it. You can define your own aliases in the +Ability+ class.
 
   alias_action :update, :destroy, :to => :modify
   can :modify, Comment
@@ -131,22 +131,32 @@ The +alias_action+ method is an instance method and usually called in +initializ
 
 == Fetching Records
 
-In the controller +index+ action you may want to fetch only the records which the user has permission to read. You can do this with the +accessible_by+ scope.
+It is possible to fetch records which the user has permission to read using the +accessible_by+ scope in Active Record.
 
   @articles = Article.accessible_by(current_ability)
 
+Since version 1.4 this is done automatically when loading resources in the index action, so one rarely needs to do it manually.
+
 This will only work when abilities are defined using hash conditions, not blocks. See {Fetching Records}[http://wiki.github.com/ryanb/cancan/fetching-records] for more information.
 
 
 == Additional Docs
 
-* {Upgrading to 1.3}[http://wiki.github.com/ryanb/cancan/upgrading-to-13]
+* {Upgrading to 1.4}[http://github.com/ryanb/cancan/wiki/Upgrading-to-1.4]
 * {Nested Resources}[http://wiki.github.com/ryanb/cancan/nested-resources]
 * {Testing Abilities}[http://wiki.github.com/ryanb/cancan/testing-abilities]
 * {Accessing Request Data}[http://wiki.github.com/ryanb/cancan/accessing-request-data]
 * {Admin Namespace}[http://wiki.github.com/ryanb/cancan/admin-namespace]
 * {See more}[http://wiki.github.com/ryanb/cancan/]
 
+
+== Questions or Problems?
+
+If you have any issues with CanCan which you cannot find the solution to in the documentation, please add an {issue on GitHub}[http://github.com/ryanb/cancan/issues] or fork the project and send a pull request.
+
+To get the specs running you should call +bundle+ and then +rake+. Specs currently do not work in Ruby 1.9 due to the RR mocking framework.
+
+
 == Special Thanks
 
 CanCan was inspired by declarative_authorization[http://github.com/stffn/declarative_authorization/] and aegis[http://github.com/makandra/aegis]. Also many thanks to the CanCan contributors[http://github.com/ryanb/cancan/contributors]. See the CHANGELOG[http://github.com/ryanb/cancan/blob/master/CHANGELOG.rdoc] for the full list.

data/Rakefile

@@ -1,13 +1,10 @@
 require 'rubygems'
 require 'rake'
-require 'spec/rake/spectask'
+require 'rspec/core/rake_task'
 
-spec_files = Rake::FileList["spec/**/*_spec.rb"]
-
-desc "Run specs"
-Spec::Rake::SpecTask.new do |t|
-  t.spec_files = spec_files
-  t.spec_opts = ["-c"]
+desc "Run RSpec"
+RSpec::Core::RakeTask.new do |t|
+  t.verbose = false
 end
 
 task :default => :spec

data/lib/cancan.rb

@@ -5,3 +5,4 @@ require 'cancan/controller_additions'
 require 'cancan/active_record_additions'
 require 'cancan/exceptions'
 require 'cancan/query'
+require 'cancan/inherited_resource'

data/lib/cancan/ability.rb

@@ -54,7 +54,7 @@ module CanCan
     #
     # Also see the RSpec Matchers to aid in testing.
     def can?(action, subject, *extra_args)
-      match = relevant_can_definitions(action, subject).detect do |can_definition|
+      match = relevant_can_definitions_for_match(action, subject).detect do |can_definition|
         can_definition.matches_conditions?(action, subject, extra_args)
       end
       match ? match.base_behavior : false
@@ -207,7 +207,9 @@ module CanCan
 
     def unauthorized_message(action, subject)
       keys = unauthorized_message_keys(action, subject)
-      message = I18n.translate(nil, :scope => :unauthorized, :default => keys + [""])
+      variables = {:action => action.to_s}
+      variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.downcase
+      message = I18n.translate(nil, variables.merge(:scope => :unauthorized, :default => keys + [""]))
       message.blank? ? nil : message
     end
 
@@ -219,6 +221,14 @@ module CanCan
       attributes
     end
 
+    def has_block?(action, subject)
+      relevant_can_definitions(action, subject).any?(&:only_block?)
+    end
+
+    def has_raw_sql?(action, subject)
+      relevant_can_definitions(action, subject).any?(&:only_raw_sql?)
+    end
+
     private
 
     def unauthorized_message_keys(action, subject)
@@ -262,6 +272,14 @@ module CanCan
       end
     end
 
+    def relevant_can_definitions_for_match(action, subject)
+      relevant_can_definitions(action, subject).each do |can_definition|
+        if can_definition.only_raw_sql?
+          raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+    end
+
     def relevant_can_definitions_for_query(action, subject)
       relevant_can_definitions(action, subject).each do |can_definition|
         if can_definition.only_block?

data/lib/cancan/can_definition.rb

@@ -36,11 +36,13 @@ module CanCan
       elsif @conditions.kind_of?(Hash) && !subject_class?(subject)
         matches_conditions_hash?(subject)
       else
-        @base_behavior
+        # Don't stop at "cannot" definitions when there are conditions.
+        @conditions.empty? ? true : @base_behavior
       end
     end
 
     def tableized_conditions(conditions = @conditions)
+      return conditions unless conditions.kind_of? Hash
       conditions.inject({}) do |result_hash, (name, value)|
         if value.kind_of? Hash
           name = name.to_s.tableize.to_sym
@@ -55,6 +57,10 @@ module CanCan
       conditions_empty? && !@block.nil?
     end
 
+    def only_raw_sql?
+      @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+    end
+
     def conditions_empty?
       @conditions == {} || @conditions.nil?
     end
@@ -63,7 +69,7 @@ module CanCan
       hash = {}
       conditions.map do |name, value|
         hash[name] = associations_hash(value) if value.kind_of? Hash
-      end
+      end if conditions.kind_of? Hash
       hash
     end
 
@@ -71,14 +77,15 @@ module CanCan
       attributes = {}
       @conditions.each do |key, value|
         attributes[key] = value unless [Array, Range, Hash].include? value.class
-      end
+      end if @conditions.kind_of? Hash
       attributes
     end
 
     private
 
     def subject_class?(subject)
-      (subject.kind_of?(Hash) ? subject.values.first : subject).class == Class
+      klass = (subject.kind_of?(Hash) ? subject.values.first : subject).class
+      klass == Class || klass == Module
     end
 
     def matches_action?(action)
@@ -90,7 +97,7 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? { |sub| sub.kind_of?(Class) && (subject.kind_of?(sub) || subject.kind_of?(Class) && subject.ancestors.include?(sub)) }
+      @subjects.any? { |sub| sub.kind_of?(Module) && (subject.kind_of?(sub) || subject.kind_of?(Module) && subject.ancestors.include?(sub)) }
     end
 
     def matches_conditions_hash?(subject, conditions = @conditions)

data/lib/cancan/controller_additions.rb

@@ -12,14 +12,14 @@ module CanCan
       #   end
       #
       def load_and_authorize_resource(*args)
-        ControllerResource.add_before_filter(self, :load_and_authorize_resource, *args)
+        cancan_resource_class.add_before_filter(self, :load_and_authorize_resource, *args)
       end
 
       # Sets up a before filter which loads the model resource into an instance variable.
       # For example, given an ArticlesController it will load the current article into the @article
       # instance variable. It does this by either calling Article.find(params[:id]) or
-      # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
-      # action.
+      # Article.new(params[:article]) depending upon the action. The index action will
+      # automatically set @articles to Article.accessible_by(current_ability).
       #
       # If a conditions hash is used in the Ability, the +new+ and +create+ actions will set
       # the initial attributes based on these conditions. This way these actions will satisfy
@@ -69,7 +69,10 @@ module CanCan
       #   Does not apply before filter to given actions.
       #
       # [:+through+]
-      #   Load this resource through another one. This should match the name of the parent instance variable.
+      #   Load this resource through another one. This should match the name of the parent instance variable or method.
+      #
+      # [:+shallow+]
+      #   Pass +true+ to allow this resource to be loaded directly when parent is +nil+. Defaults to +false+.
       #
       # [:+singleton+]
       #   Pass +true+ if this is a singleton resource through a +has_one+ association.
@@ -103,7 +106,7 @@ module CanCan
       #     load_resource :new => :build
       #
       def load_resource(*args)
-        ControllerResource.add_before_filter(self, :load_resource, *args)
+        cancan_resource_class.add_before_filter(self, :load_resource, *args)
       end
 
       # Sets up a before filter which authorizes the resource using the instance variable.
@@ -156,7 +159,7 @@ module CanCan
       #   Authorize conditions on this parent resource when instance isn't available.
       #
       def authorize_resource(*args)
-        ControllerResource.add_before_filter(self, :authorize_resource, *args)
+        cancan_resource_class.add_before_filter(self, :authorize_resource, *args)
       end
 
       # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
@@ -190,6 +193,14 @@ module CanCan
           controller.instance_variable_set(:@_authorized, true)
         end
       end
+
+      def cancan_resource_class
+        if ancestors.map(&:to_s).include? "InheritedResources::Actions"
+          InheritedResource
+        else
+          ControllerResource
+        end
+      end
     end
 
     def self.included(base)
@@ -215,7 +226,7 @@ module CanCan
     #   en:
     #     unauthorized:
     #       manage:
-    #         all: "Not authorized to perform that action."
+    #         all: "Not authorized to %{action} %{subject}."
     #         user: "Not allowed to manage other user accounts."
     #       update:
     #         project: "Not allowed to update this project."

data/lib/cancan/controller_resource.rb

@@ -6,7 +6,7 @@ module CanCan
       options = args.extract_options!
       resource_name = args.first
       controller_class.before_filter(options.slice(:only, :except)) do |controller|
-        ControllerResource.new(controller, resource_name, options.except(:only, :except)).send(method)
+        controller.class.cancan_resource_class.new(controller, resource_name, options.except(:only, :except)).send(method)
       end
     end
 
@@ -26,8 +26,10 @@ module CanCan
     end
 
     def load_resource
-      if !resource_instance && (parent? || member_action?)
-        @controller.instance_variable_set("@#{instance_name}", load_resource_instance)
+      if parent? || member_action?
+        self.resource_instance ||= load_resource_instance
+      elsif load_collection?
+        self.collection_instance ||= load_collection
       end
     end
 
@@ -39,7 +41,7 @@ module CanCan
       @options.has_key?(:parent) ? @options[:parent] : @name && @name != name_from_controller.to_sym
     end
 
-    private
+    protected
 
     def load_resource_instance
       if !parent? && new_actions.include?(@params[:action].to_sym)
@@ -49,6 +51,15 @@ module CanCan
       end
     end
 
+    def load_collection?
+      resource_base.respond_to?(:accessible_by) &&
+      !current_ability.has_block?(authorization_action, resource_class)
+    end
+
+    def load_collection
+      resource_base.accessible_by(current_ability)
+    end
+
     def build_resource
       resource = resource_base.send(@options[:singleton] ? "build_#{name}" : "new")
       initial_attributes.each do |name, value|
@@ -59,7 +70,7 @@ module CanCan
     end
 
     def initial_attributes
-      @controller.current_ability.attributes_for(@params[:action].to_sym, resource_class)
+      current_ability.attributes_for(@params[:action].to_sym, resource_class)
     end
 
     def find_resource
@@ -98,16 +109,35 @@ module CanCan
       parent_resource ? {parent_resource => resource_class} : resource_class
     end
 
+    def resource_instance=(instance)
+      @controller.instance_variable_set("@#{instance_name}", instance)
+    end
+
     def resource_instance
       @controller.instance_variable_get("@#{instance_name}")
     end
 
+    def collection_instance=(instance)
+      @controller.instance_variable_set("@#{instance_name.to_s.pluralize}", instance)
+    end
+
+    def collection_instance
+      @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
+    end
+
     # The object that methods (such as "find", "new" or "build") are called on.
     # If the :through option is passed it will go through an association on that instance.
+    # If the :shallow option is passed it will use the resource_class if there's no parent
     # If the :singleton option is passed it won't use the association because it needs to be handled later.
     def resource_base
-      if parent_resource
-        @options[:singleton] ? parent_resource : parent_resource.send(name.to_s.pluralize)
+      if @options[:through]
+        if parent_resource
+          @options[:singleton] ? parent_resource : parent_resource.send(name.to_s.pluralize)
+        elsif @options[:shallow]
+          resource_class
+        else
+          raise AccessDenied # maybe this should be a record not found error instead?
+        end
       else
         resource_class
       end
@@ -115,7 +145,19 @@ module CanCan
 
     # The object to load this resource through.
     def parent_resource
-      @options[:through] && [@options[:through]].flatten.map { |i| @controller.instance_variable_get("@#{i}") }.compact.first
+      @options[:through] && [@options[:through]].flatten.map { |i| fetch_parent(i) }.compact.first
+    end
+
+    def fetch_parent(name)
+      if @controller.instance_variable_defined? "@#{name}"
+        @controller.instance_variable_get("@#{name}")
+      elsif @controller.respond_to? name
+        @controller.send(name)
+      end
+    end
+
+    def current_ability
+      @controller.send(:current_ability)
     end
 
     def name

data/lib/cancan/inherited_resource.rb

@@ -0,0 +1,18 @@
+module CanCan
+  # For use with Inherited Resources
+  class InheritedResource < ControllerResource # :nodoc:
+    def load_resource_instance
+      if parent?
+        @controller.send :parent
+      elsif new_actions.include? @params[:action].to_sym
+        @controller.send :build_resource
+      else
+        @controller.send :resource
+      end
+    end
+
+    def resource_base
+      @controller.send :end_of_association_chain
+    end
+  end
+end

data/spec/cancan/ability_spec.rb

@@ -24,6 +24,14 @@ describe CanCan::Ability do
     @ability.can?(:read, :some_symbol).should == true
   end
 
+  it "should pass nil to a block when no instance is passed" do
+    @ability.can :read, Symbol do |sym|
+      sym.should be_nil
+      true
+    end
+    @ability.can?(:read, Symbol).should be_true
+  end
+
   it "should pass to previous can definition, if block returns false or nil" do
     @ability.can :read, Symbol
     @ability.can :read, Integer do |i|
@@ -250,6 +258,32 @@ describe CanCan::Ability do
     @ability.can?(:read, Range).should be_true
   end
 
+  it "should stop at cannot definition when no hash is present" do
+    @ability.can :read, :all
+    @ability.cannot :read, Range
+    @ability.can?(:read, 1..5).should be_false
+    @ability.can?(:read, Range).should be_false
+  end
+
+  it "should allow to check ability for Module" do
+    module B; end
+    class A; include B; end
+    @ability.can :read, B
+    @ability.can?(:read, A).should be_true
+    @ability.can?(:read, A.new).should be_true
+  end
+
+  it "should pass nil to a block for ability on Module when no instance is passed" do
+    module B; end
+    class A; include B; end
+    @ability.can :read, B do |sym|
+      sym.should be_nil
+      true
+    end
+    @ability.can?(:read, B).should be_true
+    @ability.can?(:read, A).should be_true
+  end
+
   it "passing a hash of subjects should check permissions through association" do
     @ability.can :read, Range, :string => {:length => 3}
     @ability.can?(:read, "foo" => Range).should be_true
@@ -282,6 +316,22 @@ describe CanCan::Ability do
     lambda { @ability.authorize!(:read, :foo) }.should_not raise_error
   end
 
+  it "should know when block is used in conditions" do
+    @ability.can :read, :foo
+    @ability.should_not have_block(:read, :foo)
+    @ability.can :read, :foo do |foo|
+      false
+    end
+    @ability.should have_block(:read, :foo)
+  end
+
+  it "should know when raw sql is used in conditions" do
+    @ability.can :read, :foo
+    @ability.should_not have_raw_sql(:read, :foo)
+    @ability.can :read, :foo, 'false'
+    @ability.should have_raw_sql(:read, :foo)
+  end
+
   it "should raise access denied exception with default message if not specified" do
     begin
       @ability.authorize! :read, :foo
@@ -327,5 +377,11 @@ describe CanCan::Ability do
       @ability.unauthorized_message(:update, Array).should == "modify array"
       @ability.unauthorized_message(:edit, Array).should == "modify array"
     end
+
+    it "should have variables for action and subject" do
+      I18n.backend.store_translations :en, :unauthorized => {:manage => {:all => "%{action} %{subject}"}} # old syntax for now in case testing with old I18n
+      @ability.unauthorized_message(:update, Array).should == "update array"
+      @ability.unauthorized_message(:edit, 1..3).should == "edit range"
+    end
   end
 end

data/spec/cancan/active_record_additions_spec.rb

@@ -48,4 +48,26 @@ describe CanCan::ActiveRecordAdditions do
     # @ability.associations_hash(:read, @model_class).should == [{:too => [:far]}, :foo]
     @model_class.accessible_by(@ability).should == :found_records
   end
+
+  it "should allow to define sql conditions by not hash" do
+    @ability.can :read, @model_class, :foo => 1
+    @ability.can :read, @model_class, ['bar = ?', 1]
+    stub(@model_class).scoped( :conditions => '(bar = 1) OR (foo=1)', :joins => nil ) { :found_records }
+    stub(@model_class).scoped{|*args| args.inspect}
+    @model_class.accessible_by(@ability).should == :found_records
+  end
+
+  it "should not allow to fetch records when ability with just block present" do
+    @ability.can :read, @model_class do false end
+    lambda {
+      @model_class.accessible_by(@ability)
+    }.should raise_error(CanCan::Error)
+  end
+
+  it "should not allow to check ability on object when nonhash sql ability definition without block present" do
+    @ability.can :read, @model_class, ['bar = ?', 1]
+    lambda {
+      @ability.can? :read, @model_class.new
+    }.should raise_error(CanCan::Error)
+  end
 end

data/spec/cancan/controller_additions_spec.rb

@@ -74,4 +74,13 @@ describe CanCan::ControllerAdditions do
       @controller_class.check_authorization(:some_options)
     }.should_not raise_error(CanCan::AuthorizationNotPerformed)
   end
+
+  it "cancan_resource_class should be ControllerResource by default" do
+    @controller.class.cancan_resource_class.should == CanCan::ControllerResource
+  end
+
+  it "cancan_resource_class should be InheritedResource when class includes InheritedResources::Actions" do
+    stub(@controller.class).ancestors { ["InheritedResources::Actions"] }
+    @controller.class.cancan_resource_class.should == CanCan::InheritedResource
+  end
 end

data/spec/cancan/controller_resource_spec.rb

@@ -4,8 +4,9 @@ describe CanCan::ControllerResource do
   before(:each) do
     @params = HashWithIndifferentAccess.new(:controller => "projects")
     @controller = Object.new # simple stub for now
+    @ability = Ability.new(nil)
     stub(@controller).params { @params }
-    stub(@controller).current_ability.stub!.attributes_for { {} }
+    stub(@controller).current_ability { @ability }
   end
 
   it "should load the resource into an instance variable if params[:id] is specified" do
@@ -49,7 +50,7 @@ describe CanCan::ControllerResource do
 
   it "should build a new resource with attributes from current ability" do
     @params.merge!(:action => "new")
-    stub(@controller).current_ability.stub!.attributes_for(:new, Project) { {:name => "from conditions"} }
+    @ability.can(:create, Project, :name => "from conditions")
     resource = CanCan::ControllerResource.new(@controller)
     resource.load_resource
     @controller.instance_variable_get(:@project).name.should == "from conditions"
@@ -57,17 +58,37 @@ describe CanCan::ControllerResource do
 
   it "should override initial attributes with params" do
     @params.merge!(:action => "new", :project => {:name => "from params"})
-    stub(@controller).current_ability.stub!.attributes_for(:new, Project) { {:name => "foobar"} }
+    @ability.can(:create, Project, :name => "from conditions")
     resource = CanCan::ControllerResource.new(@controller)
     resource.load_resource
     @controller.instance_variable_get(:@project).name.should == "from params"
   end
 
-  it "should not build a resource when on index action" do
+  it "should build a collection when on index action when class responds to accessible_by" do
+    stub(Project).accessible_by(@ability) { :found_projects }
     @params[:action] = "index"
+    resource = CanCan::ControllerResource.new(@controller, :project)
+    resource.load_resource
+    @controller.instance_variable_get(:@project).should be_nil
+    @controller.instance_variable_get(:@projects).should == :found_projects
+  end
+
+  it "should not build a collection when on index action when class does not respond to accessible_by" do
+    @params[:action] = "index"
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    @controller.instance_variable_get(:@project).should be_nil
+    @controller.instance_variable_defined?(:@projects).should be_false
+  end
+
+  it "should not use accessible_by when defining abilities through a block" do
+    stub(Project).accessible_by(@ability) { :found_projects }
+    @params[:action] = "index"
+    @ability.can(:read, Project) { |p| false }
     resource = CanCan::ControllerResource.new(@controller)
     resource.load_resource
     @controller.instance_variable_get(:@project).should be_nil
+    @controller.instance_variable_defined?(:@projects).should be_false
   end
 
   it "should perform authorization using controller action and loaded model" do
@@ -143,7 +164,7 @@ describe CanCan::ControllerResource do
     @controller.instance_variable_get(:@project).should == :some_project
   end
 
-  it "should load resource through the association of another parent resource" do
+  it "should load resource through the association of another parent resource using instance variable" do
     @params.merge!(:action => "show", :id => 123)
     category = Object.new
     @controller.instance_variable_set(:@category, category)
@@ -153,14 +174,34 @@ describe CanCan::ControllerResource do
     @controller.instance_variable_get(:@project).should == :some_project
   end
 
-  it "should not load through parent resource if instance isn't loaded" do
+  it "should load resource through the association of another parent resource using method" do
     @params.merge!(:action => "show", :id => 123)
-    stub(Project).find(123) { :some_project }
+    category = Object.new
+    stub(@controller).category { category }
+    stub(category).projects.stub!.find(123) { :some_project }
     resource = CanCan::ControllerResource.new(@controller, :through => :category)
     resource.load_resource
     @controller.instance_variable_get(:@project).should == :some_project
   end
 
+  it "should not load through parent resource if instance isn't loaded when shallow" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(Project).find(123) { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :shallow => true)
+    resource.load_resource
+    @controller.instance_variable_get(:@project).should == :some_project
+  end
+
+  it "should raise AccessDenied when attempting to load resource through nil" do
+    @params.merge!(:action => "show", :id => 123)
+    stub(Project).find(123) { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :through => :category)
+    lambda {
+      resource.load_resource
+    }.should raise_error(CanCan::AccessDenied)
+    @controller.instance_variable_get(:@project).should be_nil
+  end
+
   it "should authorize nested resource through parent association on index action" do
     @params.merge!(:action => "index")
     category = Object.new

data/spec/cancan/inherited_resource_spec.rb

@@ -0,0 +1,40 @@
+require "spec_helper"
+
+describe CanCan::InheritedResource do
+  before(:each) do
+    @params = HashWithIndifferentAccess.new(:controller => "projects")
+    @controller = Object.new # simple stub for now
+    @ability = Ability.new(nil)
+    stub(@controller).params { @params }
+    stub(@controller).current_ability { @ability }
+  end
+
+  it "show should load resource through @controller.resource" do
+    @params[:action] = "show"
+    stub(@controller).resource { :project_resource }
+    CanCan::InheritedResource.new(@controller).load_resource
+    @controller.instance_variable_get(:@project).should == :project_resource
+  end
+
+  it "new should load through @controller.build_resource" do
+    @params[:action] = "new"
+    stub(@controller).build_resource { :project_resource }
+    CanCan::InheritedResource.new(@controller).load_resource
+    @controller.instance_variable_get(:@project).should == :project_resource
+  end
+
+  it "index should load through @controller.parent when parent" do
+    @params[:action] = "index"
+    stub(@controller).parent { :project_resource }
+    CanCan::InheritedResource.new(@controller, :parent => true).load_resource
+    @controller.instance_variable_get(:@project).should == :project_resource
+  end
+
+  it "index should load through @controller.end_of_association_chain" do
+    @params[:action] = "index"
+    stub(Project).accessible_by(@ability) { :projects }
+    stub(@controller).end_of_association_chain { Project }
+    CanCan::InheritedResource.new(@controller).load_resource
+    @controller.instance_variable_get(:@projects).should == :projects
+  end
+end

data/spec/matchers.rb

@@ -1,4 +1,4 @@
-Spec::Matchers.define :orderlessly_match do |original_string|
+RSpec::Matchers.define :orderlessly_match do |original_string|
   match do |given_string|
     original_string.split('').sort == given_string.split('').sort
   end

data/spec/spec_helper.rb

@@ -1,14 +1,11 @@
 require 'rubygems'
-require 'spec'
-require 'active_support'
-require 'active_record'
-require 'action_controller'
-require 'action_view'
+require 'bundler'
+Bundler.require(:default, :test)
+require 'active_support/all'
 require 'matchers'
-require 'cancan'
 require 'cancan/matchers'
 
-Spec::Runner.configure do |config|
+RSpec.configure do |config|
   config.mock_with :rr
 end
 

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: cancan
 version: !ruby/object:Gem::Version 
-  prerelease: true
+  hash: 7
+  prerelease: false
   segments: 
   - 1
   - 4
   - 0
-  - beta1
-  version: 1.4.0.beta1
+  version: 1.4.0
 platform: ruby
 authors: 
 - Ryan Bates
@@ -15,10 +15,59 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-09-03 00:00:00 -07:00
+date: 2010-10-05 00:00:00 -07:00
 default_executable: 
-dependencies: []
-
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 62196431
+        segments: 
+        - 2
+        - 0
+        - 0
+        - beta
+        - 22
+        version: 2.0.0.beta.22
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rails
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rr
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 33
+        segments: 
+        - 0
+        - 10
+        - 11
+        version: 0.10.11
+  type: :development
+  version_requirements: *id003
 description: Simple authorization solution for Rails which is decoupled from user roles. All permissions are stored in a single location.
 email: ryan@railscasts.com
 executables: []
@@ -34,6 +83,7 @@ files:
 - lib/cancan/controller_additions.rb
 - lib/cancan/controller_resource.rb
 - lib/cancan/exceptions.rb
+- lib/cancan/inherited_resource.rb
 - lib/cancan/matchers.rb
 - lib/cancan/query.rb
 - lib/cancan.rb
@@ -43,12 +93,14 @@ files:
 - spec/cancan/controller_additions_spec.rb
 - spec/cancan/controller_resource_spec.rb
 - spec/cancan/exceptions_spec.rb
+- spec/cancan/inherited_resource_spec.rb
 - spec/cancan/matchers_spec.rb
 - spec/cancan/query_spec.rb
 - spec/matchers.rb
 - spec/spec.opts
 - spec/spec_helper.rb
 - CHANGELOG.rdoc
+- Gemfile
 - LICENSE
 - Rakefile
 - README.rdoc
@@ -63,16 +115,20 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 19
       segments: 
       - 1
       - 3
@@ -81,7 +137,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: cancan
-rubygems_version: 1.3.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Simple authorization solution for Rails.