cancancan 1.17.0 → 2.0.0.rc1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/cancancan.gemspec +4 -6
  3. data/lib/cancan.rb +2 -11
  4. data/lib/cancan/ability.rb +1 -1
  5. data/lib/cancan/controller_additions.rb +3 -24
  6. data/lib/cancan/controller_resource.rb +9 -25
  7. data/lib/cancan/matchers.rb +7 -1
  8. data/lib/cancan/model_adapters/active_record_4_adapter.rb +1 -3
  9. data/lib/cancan/model_adapters/active_record_adapter.rb +2 -2
  10. data/lib/cancan/rule.rb +2 -2
  11. data/lib/cancan/version.rb +1 -1
  12. metadata +22 -69
  13. data/.gitignore +0 -15
  14. data/.rspec +0 -1
  15. data/.rubocop.yml +0 -39
  16. data/.rubocop_todo.yml +0 -54
  17. data/.travis.yml +0 -39
  18. data/Appraisals +0 -105
  19. data/CHANGELOG.rdoc +0 -536
  20. data/CONTRIBUTING.md +0 -23
  21. data/Gemfile +0 -3
  22. data/LICENSE +0 -22
  23. data/README.md +0 -234
  24. data/Rakefile +0 -13
  25. data/gemfiles/activerecord_3.2.gemfile +0 -18
  26. data/gemfiles/activerecord_4.0.gemfile +0 -19
  27. data/gemfiles/activerecord_4.1.gemfile +0 -19
  28. data/gemfiles/activerecord_4.2.gemfile +0 -21
  29. data/gemfiles/activerecord_5.0.gemfile +0 -20
  30. data/gemfiles/mongoid_2.x.gemfile +0 -18
  31. data/gemfiles/sequel_3.x.gemfile +0 -18
  32. data/lib/cancan/inherited_resource.rb +0 -20
  33. data/lib/cancan/model_adapters/active_record_3_adapter.rb +0 -16
  34. data/lib/cancan/model_adapters/mongoid_adapter.rb +0 -80
  35. data/lib/cancan/model_adapters/sequel_adapter.rb +0 -87
  36. data/spec/README.rdoc +0 -27
  37. data/spec/cancan/ability_spec.rb +0 -553
  38. data/spec/cancan/controller_additions_spec.rb +0 -164
  39. data/spec/cancan/controller_resource_spec.rb +0 -645
  40. data/spec/cancan/exceptions_spec.rb +0 -58
  41. data/spec/cancan/inherited_resource_spec.rb +0 -71
  42. data/spec/cancan/matchers_spec.rb +0 -29
  43. data/spec/cancan/model_adapters/active_record_4_adapter_spec.rb +0 -160
  44. data/spec/cancan/model_adapters/active_record_adapter_spec.rb +0 -415
  45. data/spec/cancan/model_adapters/default_adapter_spec.rb +0 -7
  46. data/spec/cancan/model_adapters/mongoid_adapter_spec.rb +0 -246
  47. data/spec/cancan/model_adapters/sequel_adapter_spec.rb +0 -129
  48. data/spec/cancan/rule_spec.rb +0 -52
  49. data/spec/matchers.rb +0 -13
  50. data/spec/spec.opts +0 -2
  51. data/spec/spec_helper.rb +0 -27
  52. data/spec/support/ability.rb +0 -6
@@ -1,164 +0,0 @@
1
- require 'spec_helper'
2
-
3
- describe CanCan::ControllerAdditions do
4
- before(:each) do
5
- @controller_class = Class.new
6
- @controller = @controller_class.new
7
- allow(@controller).to receive(:params) { {} }
8
- allow(@controller).to receive(:current_user) { :current_user }
9
- expect(@controller_class).to receive(:helper_method).with(:can?, :cannot?, :current_ability)
10
- @controller_class.send(:include, CanCan::ControllerAdditions)
11
- end
12
-
13
- it "raises ImplementationRemoved when attempting to call 'unauthorized!' on a controller" do
14
- expect { @controller.unauthorized! }.to raise_error(CanCan::ImplementationRemoved)
15
- end
16
-
17
- it 'authorize! assigns @_authorized instance variable and pass args to current ability' do
18
- allow(@controller.current_ability).to receive(:authorize!).with(:foo, :bar)
19
- @controller.authorize!(:foo, :bar)
20
- expect(@controller.instance_variable_get(:@_authorized)).to be(true)
21
- end
22
-
23
- it 'has a current_ability method which generates an ability for the current user' do
24
- expect(@controller.current_ability).to be_kind_of(Ability)
25
- end
26
-
27
- it 'provides a can? and cannot? methods which go through the current ability' do
28
- expect(@controller.current_ability).to be_kind_of(Ability)
29
- expect(@controller.can?(:foo, :bar)).to be(false)
30
- expect(@controller.cannot?(:foo, :bar)).to be(true)
31
- end
32
-
33
- it 'load_and_authorize_resource setups a before filter which passes call to ControllerResource' do
34
- expect(cancan_resource_class = double).to receive(:load_and_authorize_resource)
35
- allow(CanCan::ControllerResource).to receive(:new).with(@controller, nil, foo: :bar) { cancan_resource_class }
36
- expect(@controller_class)
37
- .to receive(callback_action(:before_action)).with({}) { |_options, &block| block.call(@controller) }
38
- @controller_class.load_and_authorize_resource foo: :bar
39
- end
40
-
41
- it 'load_and_authorize_resource properly passes first argument as the resource name' do
42
- expect(cancan_resource_class = double).to receive(:load_and_authorize_resource)
43
- allow(CanCan::ControllerResource).to receive(:new).with(@controller, :project, foo: :bar) { cancan_resource_class }
44
- expect(@controller_class)
45
- .to receive(callback_action(:before_action)).with({}) { |_options, &block| block.call(@controller) }
46
- @controller_class.load_and_authorize_resource :project, foo: :bar
47
- end
48
-
49
- it 'load_and_authorize_resource with :prepend prepends the before filter' do
50
- expect(@controller_class).to receive(callback_action(:prepend_before_action)).with({})
51
- @controller_class.load_and_authorize_resource foo: :bar, prepend: true
52
- end
53
-
54
- it 'authorize_resource setups a before filter which passes call to ControllerResource' do
55
- expect(cancan_resource_class = double).to receive(:authorize_resource)
56
- allow(CanCan::ControllerResource).to receive(:new).with(@controller, nil, foo: :bar) { cancan_resource_class }
57
- expect(@controller_class)
58
- .to receive(callback_action(:before_action)).with(except: :show, if: true) do |_options, &block|
59
- block.call(@controller)
60
- end
61
- @controller_class.authorize_resource foo: :bar, except: :show, if: true
62
- end
63
-
64
- it 'load_resource setups a before filter which passes call to ControllerResource' do
65
- expect(cancan_resource_class = double).to receive(:load_resource)
66
- allow(CanCan::ControllerResource).to receive(:new).with(@controller, nil, foo: :bar) { cancan_resource_class }
67
- expect(@controller_class)
68
- .to receive(callback_action(:before_action)).with(only: [:show, :index], unless: false) do |_options, &block|
69
- block.call(@controller)
70
- end
71
- @controller_class.load_resource foo: :bar, only: [:show, :index], unless: false
72
- end
73
-
74
- it 'skip_authorization_check setups a before filter which sets @_authorized to true' do
75
- expect(@controller_class)
76
- .to receive(callback_action(:before_action)).with(:filter_options) { |_options, &block| block.call(@controller) }
77
- @controller_class.skip_authorization_check(:filter_options)
78
- expect(@controller.instance_variable_get(:@_authorized)).to be(true)
79
- end
80
-
81
- it 'check_authorization triggers AuthorizationNotPerformed in after filter' do
82
- expect(@controller_class)
83
- .to receive(callback_action(:after_action)).with(only: [:test]) { |_options, &block| block.call(@controller) }
84
- expect do
85
- @controller_class.check_authorization(only: [:test])
86
- end.to raise_error(CanCan::AuthorizationNotPerformed)
87
- end
88
-
89
- it 'check_authorization does not trigger AuthorizationNotPerformed when :if is false' do
90
- allow(@controller).to receive(:check_auth?) { false }
91
- allow(@controller_class)
92
- .to receive(callback_action(:after_action)).with({}) { |_options, &block| block.call(@controller) }
93
- expect do
94
- @controller_class.check_authorization(if: :check_auth?)
95
- end.not_to raise_error
96
- end
97
-
98
- it 'check_authorization does not trigger AuthorizationNotPerformed when :unless is true' do
99
- allow(@controller).to receive(:engine_controller?) { true }
100
- expect(@controller_class)
101
- .to receive(callback_action(:after_action)).with({}) { |_options, &block| block.call(@controller) }
102
- expect do
103
- @controller_class.check_authorization(unless: :engine_controller?)
104
- end.not_to raise_error
105
- end
106
-
107
- it 'check_authorization does not raise error when @_authorized is set' do
108
- @controller.instance_variable_set(:@_authorized, true)
109
- expect(@controller_class)
110
- .to receive(callback_action(:after_action)).with(only: [:test]) { |_options, &block| block.call(@controller) }
111
- expect do
112
- @controller_class.check_authorization(only: [:test])
113
- end.not_to raise_error
114
- end
115
-
116
- it 'cancan_resource_class is ControllerResource by default' do
117
- expect(@controller.class.cancan_resource_class).to eq(CanCan::ControllerResource)
118
- end
119
-
120
- it 'cancan_resource_class is InheritedResource when class includes InheritedResources::Actions' do
121
- allow(@controller.class).to receive(:ancestors) { ['InheritedResources::Actions'] }
122
- expect(@controller.class.cancan_resource_class).to eq(CanCan::InheritedResource)
123
- end
124
-
125
- it 'cancan_skipper is an empty hash with :authorize and :load options and remember changes' do
126
- expect(@controller_class.cancan_skipper).to eq(authorize: {}, load: {})
127
- @controller_class.cancan_skipper[:load] = true
128
- expect(@controller_class.cancan_skipper[:load]).to be(true)
129
- end
130
-
131
- it 'skip_authorize_resource adds itself to the cancan skipper with given model name and options' do
132
- @controller_class.skip_authorize_resource(:project, only: [:index, :show])
133
- expect(@controller_class.cancan_skipper[:authorize][:project]).to eq(only: [:index, :show])
134
- @controller_class.skip_authorize_resource(only: [:index, :show])
135
- expect(@controller_class.cancan_skipper[:authorize][nil]).to eq(only: [:index, :show])
136
- @controller_class.skip_authorize_resource(:article)
137
- expect(@controller_class.cancan_skipper[:authorize][:article]).to eq({})
138
- end
139
-
140
- it 'skip_load_resource adds itself to the cancan skipper with given model name and options' do
141
- @controller_class.skip_load_resource(:project, only: [:index, :show])
142
- expect(@controller_class.cancan_skipper[:load][:project]).to eq(only: [:index, :show])
143
- @controller_class.skip_load_resource(only: [:index, :show])
144
- expect(@controller_class.cancan_skipper[:load][nil]).to eq(only: [:index, :show])
145
- @controller_class.skip_load_resource(:article)
146
- expect(@controller_class.cancan_skipper[:load][:article]).to eq({})
147
- end
148
-
149
- it 'skip_load_and_authore_resource adds itself to the cancan skipper with given model name and options' do
150
- @controller_class.skip_load_and_authorize_resource(:project, only: [:index, :show])
151
- expect(@controller_class.cancan_skipper[:load][:project]).to eq(only: [:index, :show])
152
- expect(@controller_class.cancan_skipper[:authorize][:project]).to eq(only: [:index, :show])
153
- end
154
-
155
- private
156
-
157
- def callback_action(action)
158
- if ActiveSupport.respond_to?(:version) && ActiveSupport.version >= Gem::Version.new('4')
159
- action
160
- else
161
- action.to_s.sub(/_action/, '_filter')
162
- end
163
- end
164
- end
@@ -1,645 +0,0 @@
1
- require 'spec_helper'
2
-
3
- describe CanCan::ControllerResource do
4
- let(:ability) { Ability.new(nil) }
5
- let(:params) { HashWithIndifferentAccess.new(controller: 'models') }
6
- let(:controller_class) { Class.new }
7
- let(:controller) { controller_class.new }
8
-
9
- before(:each) do
10
- class Model
11
- attr_accessor :name
12
-
13
- def initialize(attributes = {})
14
- attributes.each do |attribute, value|
15
- send("#{attribute}=", value)
16
- end
17
- end
18
- end
19
-
20
- allow(controller).to receive(:params) { params }
21
- allow(controller).to receive(:current_ability) { ability }
22
- allow(controller_class).to receive(:cancan_skipper) { { authorize: {}, load: {} } }
23
- end
24
-
25
- context 'on build actions' do
26
- before :each do
27
- params.merge!(action: 'new')
28
- end
29
-
30
- it 'builds a new resource with attributes from current ability' do
31
- ability.can(:create, Model, name: 'from conditions')
32
- resource = CanCan::ControllerResource.new(controller)
33
- resource.load_resource
34
- expect(controller.instance_variable_get(:@model).name).to eq('from conditions')
35
- end
36
-
37
- it 'overrides initial attributes with params' do
38
- params[:model] = { name: 'from params' }
39
- ability.can(:create, Model, name: 'from conditions')
40
- resource = CanCan::ControllerResource.new(controller)
41
- resource.load_resource
42
- expect(controller.instance_variable_get(:@model).name).to eq('from params')
43
- end
44
-
45
- it 'builds a resource when on custom new action even when params[:id] exists' do
46
- params.merge!(action: 'build', id: '123')
47
- allow(Model).to receive(:new) { :some_model }
48
- resource = CanCan::ControllerResource.new(controller, new: :build)
49
- resource.load_resource
50
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
51
- end
52
-
53
- it 'only authorizes :show action on parent resource' do
54
- model = Model.new
55
- allow(Model).to receive(:find).with('123') { model }
56
-
57
- params[:model_id] = 123
58
- allow(controller).to receive(:authorize!).with(:show, model) { raise CanCan::AccessDenied }
59
- resource = CanCan::ControllerResource.new(controller, :model, parent: true)
60
- expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
61
- end
62
- end
63
-
64
- context 'on create actions' do
65
- before :each do
66
- params.merge!(action: 'create')
67
- end
68
-
69
- # Rails includes namespace in params, see issue #349
70
- it 'creates through the namespaced params' do
71
- module MyEngine
72
- class Model < ::Model; end
73
- end
74
-
75
- params.merge!(controller: 'my_engine/models', my_engine_model: { name: 'foobar' })
76
- resource = CanCan::ControllerResource.new(controller)
77
- resource.load_resource
78
- expect(controller.instance_variable_get(:@model).name).to eq('foobar')
79
- end
80
-
81
- it 'builds a new resource with hash if params[:id] is not specified' do
82
- params[:model] = { name: 'foobar' }
83
- resource = CanCan::ControllerResource.new(controller)
84
- resource.load_resource
85
- expect(controller.instance_variable_get(:@model).name).to eq('foobar')
86
- end
87
-
88
- it 'builds a new resource for namespaced model with hash if params[:id] is not specified' do
89
- module Sub
90
- class Model < ::Model; end
91
- end
92
- params['sub_model'] = { name: 'foobar' }
93
- resource = CanCan::ControllerResource.new(controller, class: ::Sub::Model)
94
- resource.load_resource
95
- expect(controller.instance_variable_get(:@model).name).to eq('foobar')
96
- end
97
-
98
- context 'params[:id] is not specified' do
99
- it 'builds a new resource for namespaced controller and namespaced model with hash' do
100
- params.merge!(:controller => 'admin/sub_models', 'sub_model' => { name: 'foobar' })
101
- resource = CanCan::ControllerResource.new(controller, class: Model)
102
- resource.load_resource
103
- expect(controller.instance_variable_get(:@sub_model).name).to eq('foobar')
104
- end
105
- end
106
-
107
- it 'builds a new resource for namespaced controller given through folder format' do
108
- module Admin
109
- module SubModule
110
- class HiddenModel < ::Model; end
111
- end
112
- end
113
- params[:controller] = 'admin/sub_module/hidden_models'
114
- resource = CanCan::ControllerResource.new(controller)
115
- expect { resource.load_resource }.not_to raise_error
116
- end
117
-
118
- context 'with :singleton option' do
119
- it 'does not build record through has_one association because it can cause it to delete it in the database' do
120
- category = Class.new
121
- allow_any_instance_of(Model).to receive('category=').with(category)
122
- allow_any_instance_of(Model).to receive('category') { category }
123
-
124
- params[:model] = { name: 'foobar' }
125
- controller.instance_variable_set(:@category, category)
126
- resource = CanCan::ControllerResource.new(controller, through: :category, singleton: true)
127
- resource.load_resource
128
- expect(controller.instance_variable_get(:@model).name).to eq('foobar')
129
- expect(controller.instance_variable_get(:@model).category).to eq(category)
130
- end
131
- end
132
-
133
- it 'builds record through has_one association with :singleton and :shallow options' do
134
- params[:model] = { name: 'foobar' }
135
- resource = CanCan::ControllerResource.new(controller, through: :category, singleton: true, shallow: true)
136
- resource.load_resource
137
- expect(controller.instance_variable_get(:@model).name).to eq('foobar')
138
- end
139
-
140
- context 'with a strong parameters method' do
141
- before :each do
142
- params.merge!(controller: 'model', model: { name: 'test' })
143
- end
144
-
145
- it 'accepts and uses the specified symbol for santitizing input' do
146
- allow(controller).to receive(:resource_params).and_return(resource: 'params')
147
- allow(controller).to receive(:model_params).and_return(model: 'params')
148
- allow(controller).to receive(:create_params).and_return(create: 'params')
149
- allow(controller).to receive(:custom_params).and_return(custom: 'params')
150
- resource = CanCan::ControllerResource.new(controller, param_method: :custom_params)
151
- expect(resource.send('resource_params')).to eq(custom: 'params')
152
- end
153
-
154
- it 'accepts the specified string for sanitizing input' do
155
- resource = CanCan::ControllerResource.new(controller, param_method: "{:custom => 'params'}")
156
- expect(resource.send('resource_params')).to eq(custom: 'params')
157
- end
158
-
159
- it 'accepts the specified proc for sanitizing input' do
160
- resource = CanCan::ControllerResource.new(controller, param_method: proc { |_c| { custom: 'params' } })
161
- expect(resource.send('resource_params')).to eq(custom: 'params')
162
- end
163
-
164
- it 'prefers to use the create_params method for santitizing input' do
165
- allow(controller).to receive(:resource_params).and_return(resource: 'params')
166
- allow(controller).to receive(:model_params).and_return(model: 'params')
167
- allow(controller).to receive(:create_params).and_return(create: 'params')
168
- allow(controller).to receive(:custom_params).and_return(custom: 'params')
169
- resource = CanCan::ControllerResource.new(controller)
170
- expect(resource.send('resource_params')).to eq(create: 'params')
171
- end
172
-
173
- it 'prefers to use the <model_name>_params method for santitizing input if create is not found' do
174
- allow(controller).to receive(:resource_params).and_return(resource: 'params')
175
- allow(controller).to receive(:model_params).and_return(model: 'params')
176
- allow(controller).to receive(:custom_params).and_return(custom: 'params')
177
- resource = CanCan::ControllerResource.new(controller)
178
- expect(resource.send('resource_params')).to eq(model: 'params')
179
- end
180
-
181
- it 'prefers to use the resource_params method for santitizing input if create or model is not found' do
182
- allow(controller).to receive(:resource_params).and_return(resource: 'params')
183
- allow(controller).to receive(:custom_params).and_return(custom: 'params')
184
- resource = CanCan::ControllerResource.new(controller)
185
- expect(resource.send('resource_params')).to eq(resource: 'params')
186
- end
187
- end
188
- end
189
-
190
- context 'on collection actions' do
191
- before :each do
192
- params[:action] = 'index'
193
- end
194
-
195
- it 'builds a collection when on index action when class responds to accessible_by' do
196
- allow(Model).to receive(:accessible_by).with(ability, :index) { :found_models }
197
-
198
- resource = CanCan::ControllerResource.new(controller, :model)
199
- resource.load_resource
200
- expect(controller.instance_variable_get(:@model)).to be_nil
201
- expect(controller.instance_variable_get(:@models)).to eq(:found_models)
202
- end
203
-
204
- it 'does not build a collection when on index action when class does not respond to accessible_by' do
205
- resource = CanCan::ControllerResource.new(controller)
206
- resource.load_resource
207
- expect(controller.instance_variable_get(:@model)).to be_nil
208
- expect(controller.instance_variable_defined?(:@models)).to be(false)
209
- end
210
-
211
- it 'does not use accessible_by when defining abilities through a block' do
212
- allow(Model).to receive(:accessible_by).with(ability) { :found_models }
213
-
214
- ability.can(:read, Model) { |_p| false }
215
- resource = CanCan::ControllerResource.new(controller)
216
- resource.load_resource
217
- expect(controller.instance_variable_get(:@model)).to be_nil
218
- expect(controller.instance_variable_defined?(:@models)).to be(false)
219
- end
220
-
221
- it 'does not authorize single resource in collection action' do
222
- allow(controller).to receive(:authorize!).with(:index, Model) { raise CanCan::AccessDenied }
223
- resource = CanCan::ControllerResource.new(controller)
224
-
225
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
226
- end
227
-
228
- it 'authorizes parent resource in collection action' do
229
- controller.instance_variable_set(:@category, :some_category)
230
- allow(controller).to receive(:authorize!).with(:show, :some_category) { raise CanCan::AccessDenied }
231
-
232
- resource = CanCan::ControllerResource.new(controller, :category, parent: true)
233
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
234
- end
235
-
236
- it 'authorizes with :custom_action for parent collection action' do
237
- controller.instance_variable_set(:@category, :some_category)
238
- allow(controller).to receive(:authorize!).with(:custom_action, :some_category) { raise CanCan::AccessDenied }
239
-
240
- resource = CanCan::ControllerResource.new(controller, :category, parent: true, parent_action: :custom_action)
241
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
242
- end
243
-
244
- it 'has the specified nested resource_class when using / for namespace' do
245
- module Admin
246
- class Dashboard; end
247
- end
248
- ability.can(:index, 'admin/dashboard')
249
- params[:controller] = 'admin/dashboard'
250
- resource = CanCan::ControllerResource.new(controller, authorize: true)
251
- expect(resource.send(:resource_class)).to eq(Admin::Dashboard)
252
- end
253
-
254
- it 'does not build a single resource when on custom collection action even with id' do
255
- params.merge!(action: 'sort', id: '123')
256
-
257
- resource = CanCan::ControllerResource.new(controller, collection: [:sort, :list])
258
- resource.load_resource
259
- expect(controller.instance_variable_get(:@model)).to be_nil
260
- end
261
-
262
- it 'loads a collection resource when on custom action with no id param' do
263
- allow(Model).to receive(:accessible_by).with(ability, :sort) { :found_models }
264
- params[:action] = 'sort'
265
- resource = CanCan::ControllerResource.new(controller)
266
- resource.load_resource
267
- expect(controller.instance_variable_get(:@model)).to be_nil
268
- expect(controller.instance_variable_get(:@models)).to eq(:found_models)
269
- end
270
-
271
- it 'loads parent resource through proper id parameter' do
272
- model = Model.new
273
- allow(Model).to receive(:find).with('1') { model }
274
-
275
- params.merge!(controller: 'categories', model_id: 1)
276
- resource = CanCan::ControllerResource.new(controller, :model)
277
- resource.load_resource
278
- expect(controller.instance_variable_get(:@model)).to eq(model)
279
- end
280
-
281
- it 'authorizes nested resource through parent association on index action' do
282
- controller.instance_variable_set(:@category, category = double)
283
- allow(controller).to receive(:authorize!).with(:index, category => Model) { raise CanCan::AccessDenied }
284
- resource = CanCan::ControllerResource.new(controller, through: :category)
285
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
286
- end
287
- end
288
-
289
- context 'on instance read actions' do
290
- before :each do
291
- params.merge!(action: 'show', id: '123')
292
- end
293
-
294
- it 'loads the resource into an instance variable if params[:id] is specified' do
295
- model = Model.new
296
- allow(Model).to receive(:find).with('123') { model }
297
-
298
- resource = CanCan::ControllerResource.new(controller)
299
- resource.load_resource
300
- expect(controller.instance_variable_get(:@model)).to eq(model)
301
- end
302
-
303
- it 'does not load resource into an instance variable if already set' do
304
- controller.instance_variable_set(:@model, :some_model)
305
- resource = CanCan::ControllerResource.new(controller)
306
- resource.load_resource
307
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
308
- end
309
-
310
- it 'loads resource for namespaced controller' do
311
- model = Model.new
312
- allow(Model).to receive(:find).with('123') { model }
313
- params[:controller] = 'admin/models'
314
-
315
- resource = CanCan::ControllerResource.new(controller)
316
- resource.load_resource
317
- expect(controller.instance_variable_get(:@model)).to eq(model)
318
- end
319
-
320
- it 'performs authorization using controller action and loaded model' do
321
- controller.instance_variable_set(:@model, :some_model)
322
- allow(controller).to receive(:authorize!).with(:show, :some_model) { raise CanCan::AccessDenied }
323
-
324
- resource = CanCan::ControllerResource.new(controller)
325
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
326
- end
327
-
328
- it 'performs authorization using controller action and non loaded model' do
329
- allow(controller).to receive(:authorize!).with(:show, Model) { raise CanCan::AccessDenied }
330
- resource = CanCan::ControllerResource.new(controller)
331
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
332
- end
333
-
334
- it 'calls load_resource and authorize_resource for load_and_authorize_resource' do
335
- resource = CanCan::ControllerResource.new(controller)
336
- expect(resource).to receive(:load_resource)
337
- expect(resource).to receive(:authorize_resource)
338
- resource.load_and_authorize_resource
339
- end
340
-
341
- it 'loads resource through the association of another parent resource using instance variable' do
342
- category = double(models: {})
343
- controller.instance_variable_set(:@category, category)
344
- allow(category.models).to receive(:find).with('123') { :some_model }
345
- resource = CanCan::ControllerResource.new(controller, through: :category)
346
- resource.load_resource
347
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
348
- end
349
-
350
- it 'loads resource through the custom association name' do
351
- category = double(custom_models: {})
352
- controller.instance_variable_set(:@category, category)
353
- allow(category.custom_models).to receive(:find).with('123') { :some_model }
354
- resource = CanCan::ControllerResource.new(controller, through: :category, through_association: :custom_models)
355
- resource.load_resource
356
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
357
- end
358
-
359
- it 'loads resource through the association of another parent resource using method' do
360
- category = double(models: {})
361
- allow(controller).to receive(:category) { category }
362
- allow(category.models).to receive(:find).with('123') { :some_model }
363
- resource = CanCan::ControllerResource.new(controller, through: :category)
364
- resource.load_resource
365
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
366
- end
367
-
368
- it "does not load through parent resource if instance isn't loaded when shallow" do
369
- model = Model.new
370
- allow(Model).to receive(:find).with('123') { model }
371
-
372
- resource = CanCan::ControllerResource.new(controller, through: :category, shallow: true)
373
- resource.load_resource
374
- expect(controller.instance_variable_get(:@model)).to eq(model)
375
- end
376
-
377
- it 'raises AccessDenied when attempting to load resource through nil' do
378
- resource = CanCan::ControllerResource.new(controller, through: :category)
379
- expect do
380
- resource.load_resource
381
- end.to raise_error(CanCan::AccessDenied) { |exception|
382
- expect(exception.action).to eq(:show)
383
- expect(exception.subject).to eq(Model)
384
- }
385
- expect(controller.instance_variable_get(:@model)).to be_nil
386
- end
387
-
388
- it 'loads through first matching if multiple are given' do
389
- category = double(models: {})
390
- controller.instance_variable_set(:@category, category)
391
- allow(category.models).to receive(:find).with('123') { :some_model }
392
-
393
- resource = CanCan::ControllerResource.new(controller, through: [:category, :user])
394
- resource.load_resource
395
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
396
- end
397
-
398
- it 'finds record through has_one association with :singleton option without id param' do
399
- params[:id] = nil
400
-
401
- category = double(model: :some_model)
402
- controller.instance_variable_set(:@category, category)
403
- resource = CanCan::ControllerResource.new(controller, through: :category, singleton: true)
404
- resource.load_resource
405
- expect(controller.instance_variable_get(:@model)).to eq(:some_model)
406
- end
407
-
408
- it 'does not try to load resource for other action if params[:id] is undefined' do
409
- params.merge!(action: 'list', id: nil)
410
- resource = CanCan::ControllerResource.new(controller)
411
- resource.load_resource
412
- expect(controller.instance_variable_get(:@model)).to be_nil
413
- end
414
-
415
- it 'finds record through has_one association with :singleton and :shallow options' do
416
- model = Model.new
417
- allow(Model).to receive(:find).with('123') { model }
418
-
419
- resource = CanCan::ControllerResource.new(controller, through: :category, singleton: true, shallow: true)
420
- resource.load_resource
421
- expect(controller.instance_variable_get(:@model)).to eq(model)
422
- end
423
-
424
- it 'loads the model using a custom class' do
425
- model = Model.new
426
- allow(Model).to receive(:find).with('123') { model }
427
-
428
- resource = CanCan::ControllerResource.new(controller, class: Model)
429
- resource.load_resource
430
- expect(controller.instance_variable_get(:@model)).to eq(model)
431
- end
432
-
433
- it 'loads the model using a custom namespaced class' do
434
- module Sub
435
- class Model < ::Model; end
436
- end
437
-
438
- model = Sub::Model.new
439
- allow(Sub::Model).to receive(:find).with('123') { model }
440
-
441
- resource = CanCan::ControllerResource.new(controller, class: ::Sub::Model)
442
- resource.load_resource
443
- expect(controller.instance_variable_get(:@model)).to eq(model)
444
- end
445
-
446
- it 'authorizes based on resource name if class is false' do
447
- allow(controller).to receive(:authorize!).with(:show, :model) { raise CanCan::AccessDenied }
448
- resource = CanCan::ControllerResource.new(controller, class: false)
449
- expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
450
- end
451
-
452
- it 'loads and authorize using custom instance name' do
453
- model = Model.new
454
- allow(Model).to receive(:find).with('123') { model }
455
-
456
- allow(controller).to receive(:authorize!).with(:show, model) { raise CanCan::AccessDenied }
457
- resource = CanCan::ControllerResource.new(controller, instance_name: :custom_model)
458
- expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
459
- expect(controller.instance_variable_get(:@custom_model)).to eq(model)
460
- end
461
-
462
- it 'loads resource using custom ID param' do
463
- model = Model.new
464
- allow(Model).to receive(:find).with('123') { model }
465
-
466
- params[:the_model] = 123
467
- resource = CanCan::ControllerResource.new(controller, id_param: :the_model)
468
- resource.load_resource
469
- expect(controller.instance_variable_get(:@model)).to eq(model)
470
- end
471
-
472
- # CVE-2012-5664
473
- it 'always converts id param to string' do
474
- params[:the_model] = { malicious: 'I am' }
475
- resource = CanCan::ControllerResource.new(controller, id_param: :the_model)
476
- expect(resource.send(:id_param).class).to eq(String)
477
- end
478
-
479
- it 'should id param return nil if param is nil' do
480
- params[:the_model] = nil
481
- resource = CanCan::ControllerResource.new(controller, id_param: :the_model)
482
- expect(resource.send(:id_param)).to be_nil
483
- end
484
-
485
- it 'loads resource using custom find_by attribute' do
486
- model = Model.new
487
- allow(Model).to receive(:name).with('foo') { model }
488
-
489
- params.merge!(action: 'show', id: 'foo')
490
- resource = CanCan::ControllerResource.new(controller, find_by: :name)
491
- resource.load_resource
492
- expect(controller.instance_variable_get(:@model)).to eq(model)
493
- end
494
-
495
- it 'allows full find method to be passed into find_by option' do
496
- model = Model.new
497
- allow(Model).to receive(:find_by_name).with('foo') { model }
498
-
499
- params.merge!(action: 'show', id: 'foo')
500
- resource = CanCan::ControllerResource.new(controller, find_by: :find_by_name)
501
- resource.load_resource
502
- expect(controller.instance_variable_get(:@model)).to eq(model)
503
- end
504
- end
505
-
506
- context 'when @name passed as symbol' do
507
- it 'returns namespaced #resource_class' do
508
- module Admin; end
509
- class Admin::Dashboard; end
510
- params[:controller] = 'admin/dashboard'
511
- resource = CanCan::ControllerResource.new(controller, :dashboard)
512
-
513
- expect(resource.send(:resource_class)).to eq Admin::Dashboard
514
- end
515
- end
516
-
517
- it 'calls the santitizer when the parameter hash matches our object' do
518
- params.merge!(action: 'create', model: { name: 'test' })
519
- allow(controller).to receive(:create_params).and_return({})
520
-
521
- resource = CanCan::ControllerResource.new(controller)
522
- resource.load_resource
523
- expect(controller.instance_variable_get(:@model).name).to eq nil
524
- end
525
-
526
- it 'santitizes correctly when the instance name is overriden' do
527
- params.merge!(action: 'create', custom_name: { name: 'foobar' })
528
- allow(controller).to receive(:create_params).and_return({})
529
-
530
- resource = CanCan::ControllerResource.new(controller, instance_name: :custom_name)
531
- resource.load_resource
532
- expect(controller.instance_variable_get(:@custom_name).name).to eq nil
533
- end
534
-
535
- it 'calls the santitize method on non-save actions when required' do
536
- params.merge!(action: 'new', model: { name: 'test' })
537
-
538
- allow(controller).to receive(:resource_params).and_return({})
539
- resource = CanCan::ControllerResource.new(controller)
540
- resource.load_resource
541
- expect(controller.instance_variable_get(:@model).name).to eq nil
542
- end
543
-
544
- it "doesn't sanitize parameters on non-save actions when not required" do
545
- params.merge!(action: 'new', not_our_model: { name: 'test' })
546
- allow(controller).to receive(:resource_params).and_raise
547
-
548
- resource = CanCan::ControllerResource.new(controller)
549
- expect do
550
- resource.load_resource
551
- end.to_not raise_error
552
- end
553
-
554
- it "is a parent resource when name is provided which doesn't match controller" do
555
- resource = CanCan::ControllerResource.new(controller, :category)
556
- expect(resource).to be_parent
557
- end
558
-
559
- it 'does not be a parent resource when name is provided which matches controller' do
560
- resource = CanCan::ControllerResource.new(controller, :model)
561
- expect(resource).to_not be_parent
562
- end
563
-
564
- it 'is parent if specified in options' do
565
- resource = CanCan::ControllerResource.new(controller, :model, parent: true)
566
- expect(resource).to be_parent
567
- end
568
-
569
- it 'does not be parent if specified in options' do
570
- resource = CanCan::ControllerResource.new(controller, :category, parent: false)
571
- expect(resource).to_not be_parent
572
- end
573
-
574
- it "has the specified resource_class if 'name' is passed to load_resource" do
575
- class Section; end
576
- resource = CanCan::ControllerResource.new(controller, :section)
577
- expect(resource.send(:resource_class)).to eq(Section)
578
- end
579
-
580
- it 'raises ImplementationRemoved when adding :name option' do
581
- expect do
582
- CanCan::ControllerResource.new(controller, name: :foo)
583
- end.to raise_error(CanCan::ImplementationRemoved)
584
- end
585
-
586
- it 'raises ImplementationRemoved exception when specifying :resource option since it is no longer used' do
587
- expect do
588
- CanCan::ControllerResource.new(controller, resource: Model)
589
- end.to raise_error(CanCan::ImplementationRemoved)
590
- end
591
-
592
- it 'raises ImplementationRemoved exception when passing :nested option' do
593
- expect do
594
- CanCan::ControllerResource.new(controller, nested: :model)
595
- end.to raise_error(CanCan::ImplementationRemoved)
596
- end
597
-
598
- it 'skips resource behavior for :only actions in array' do
599
- allow(controller_class).to receive(:cancan_skipper) { { load: { nil => { only: [:index, :show] } } } }
600
- params[:action] = 'index'
601
- expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be(true)
602
- expect(CanCan::ControllerResource.new(controller, :some_resource).skip?(:load)).to be(false)
603
- params[:action] = 'show'
604
- expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be(true)
605
- params[:action] = 'other_action'
606
- expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_falsey
607
- end
608
-
609
- it 'skips resource behavior for :only one action on resource' do
610
- allow(controller_class).to receive(:cancan_skipper) { { authorize: { model: { only: :index } } } }
611
- params[:action] = 'index'
612
- expect(CanCan::ControllerResource.new(controller).skip?(:authorize)).to be(false)
613
- expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be(true)
614
- params[:action] = 'other_action'
615
- expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be_falsey
616
- end
617
-
618
- it 'skips resource behavior :except actions in array' do
619
- allow(controller_class).to receive(:cancan_skipper) { { load: { nil => { except: [:index, :show] } } } }
620
- params[:action] = 'index'
621
- expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_falsey
622
- params[:action] = 'show'
623
- expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_falsey
624
- params[:action] = 'other_action'
625
- expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be(true)
626
- expect(CanCan::ControllerResource.new(controller, :some_resource).skip?(:load)).to be(false)
627
- end
628
-
629
- it 'skips resource behavior :except one action on resource' do
630
- allow(controller_class).to receive(:cancan_skipper) { { authorize: { model: { except: :index } } } }
631
- params[:action] = 'index'
632
- expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be_falsey
633
- params[:action] = 'other_action'
634
- expect(CanCan::ControllerResource.new(controller).skip?(:authorize)).to be(false)
635
- expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be(true)
636
- end
637
-
638
- it 'skips loading and authorization' do
639
- allow(controller_class).to receive(:cancan_skipper) { { authorize: { nil => {} }, load: { nil => {} } } }
640
- params[:action] = 'new'
641
- resource = CanCan::ControllerResource.new(controller)
642
- expect { resource.load_and_authorize_resource }.not_to raise_error
643
- expect(controller.instance_variable_get(:@model)).to be_nil
644
- end
645
- end