cancancan 1.7.0

data/spec/cancan/controller_additions_spec.rb

@@ -0,0 +1,141 @@
+require "spec_helper"
+
+describe CanCan::ControllerAdditions do
+  before(:each) do
+    @controller_class = Class.new
+    @controller = @controller_class.new
+    allow(@controller).to receive(:params) { {} }
+    allow(@controller).to receive(:current_user) { :current_user }
+    expect(@controller_class).to receive(:helper_method).with(:can?, :cannot?, :current_ability)
+    @controller_class.send(:include, CanCan::ControllerAdditions)
+  end
+
+  it "raises ImplementationRemoved when attempting to call 'unauthorized!' on a controller" do
+    expect { @controller.unauthorized! }.to raise_error(CanCan::ImplementationRemoved)
+  end
+
+  it "authorize! assigns @_authorized instance variable and pass args to current ability" do
+    allow(@controller.current_ability).to receive(:authorize!).with(:foo, :bar)
+    @controller.authorize!(:foo, :bar)
+    expect(@controller.instance_variable_get(:@_authorized)).to be_true
+  end
+
+  it "has a current_ability method which generates an ability for the current user" do
+    expect(@controller.current_ability).to be_kind_of(Ability)
+  end
+
+  it "provides a can? and cannot? methods which go through the current ability" do
+    expect(@controller.current_ability).to be_kind_of(Ability)
+    expect(@controller.can?(:foo, :bar)).to be_false
+    expect(@controller.cannot?(:foo, :bar)).to be_true
+  end
+
+  it "load_and_authorize_resource setups a before filter which passes call to ControllerResource" do
+    expect(cancan_resource_class = double).to receive(:load_and_authorize_resource)
+    allow(CanCan::ControllerResource).to receive(:new).with(@controller, nil, :foo => :bar) {cancan_resource_class }
+    expect(@controller_class).to receive(:before_filter).with({}) { |options, &block| block.call(@controller) }
+    @controller_class.load_and_authorize_resource :foo => :bar
+  end
+
+  it "load_and_authorize_resource properly passes first argument as the resource name" do
+    expect(cancan_resource_class = double).to receive(:load_and_authorize_resource) 
+    allow(CanCan::ControllerResource).to receive(:new).with(@controller, :project, :foo => :bar) {cancan_resource_class}
+    expect(@controller_class).to receive(:before_filter).with({}) { |options, &block| block.call(@controller) }
+    @controller_class.load_and_authorize_resource :project, :foo => :bar
+  end
+
+  it "load_and_authorize_resource with :prepend prepends the before filter" do
+    expect(@controller_class).to receive(:prepend_before_filter).with({})
+    @controller_class.load_and_authorize_resource :foo => :bar, :prepend => true
+  end
+
+  it "authorize_resource setups a before filter which passes call to ControllerResource" do
+    expect(cancan_resource_class = double).to receive(:authorize_resource) 
+    allow(CanCan::ControllerResource).to receive(:new).with(@controller, nil, :foo => :bar) {cancan_resource_class}
+    expect(@controller_class).to receive(:before_filter).with(:except => :show, :if => true) { |options, &block| block.call(@controller) }
+    @controller_class.authorize_resource :foo => :bar, :except => :show, :if => true
+  end
+
+  it "load_resource setups a before filter which passes call to ControllerResource" do
+    expect(cancan_resource_class = double).to receive(:load_resource) 
+    allow(CanCan::ControllerResource).to receive(:new).with(@controller, nil, :foo => :bar) {cancan_resource_class}
+    expect(@controller_class).to receive(:before_filter).with(:only => [:show, :index], :unless => false) { |options, &block| block.call(@controller) }
+    @controller_class.load_resource :foo => :bar, :only => [:show, :index], :unless => false
+  end
+
+  it "skip_authorization_check setups a before filter which sets @_authorized to true" do
+    expect(@controller_class).to receive(:before_filter).with(:filter_options) { |options, &block| block.call(@controller) }
+    @controller_class.skip_authorization_check(:filter_options)
+    expect(@controller.instance_variable_get(:@_authorized)).to be_true
+  end
+
+  it "check_authorization triggers AuthorizationNotPerformed in after filter" do
+    expect(@controller_class).to receive(:after_filter).with(:only => [:test]) { |options, &block| block.call(@controller) }
+    expect {
+      @controller_class.check_authorization(:only => [:test])
+    }.to raise_error(CanCan::AuthorizationNotPerformed)
+  end
+
+  it "check_authorization does not trigger AuthorizationNotPerformed when :if is false" do
+    allow(@controller).to receive(:check_auth?) { false }
+    allow(@controller_class).to receive(:after_filter).with({}) { |options, &block| block.call(@controller) }
+    expect {
+      @controller_class.check_authorization(:if => :check_auth?)
+    }.not_to raise_error
+  end
+
+  it "check_authorization does not trigger AuthorizationNotPerformed when :unless is true" do
+    allow(@controller).to receive(:engine_controller?) { true }
+    expect(@controller_class).to receive(:after_filter).with({}) { |options, &block| block.call(@controller) }
+    expect {
+      @controller_class.check_authorization(:unless => :engine_controller?)
+    }.not_to raise_error
+  end
+
+  it "check_authorization does not raise error when @_authorized is set" do
+    @controller.instance_variable_set(:@_authorized, true)
+    expect(@controller_class).to receive(:after_filter).with(:only => [:test]) { |options, &block| block.call(@controller) }
+    expect {
+      @controller_class.check_authorization(:only => [:test])
+    }.not_to raise_error
+  end
+
+  it "cancan_resource_class is ControllerResource by default" do
+    expect(@controller.class.cancan_resource_class).to eq(CanCan::ControllerResource)
+  end
+
+  it "cancan_resource_class is InheritedResource when class includes InheritedResources::Actions" do
+    allow(@controller.class).to receive(:ancestors) { ["InheritedResources::Actions"] }
+    expect(@controller.class.cancan_resource_class).to eq(CanCan::InheritedResource)
+  end
+
+  it "cancan_skipper is an empty hash with :authorize and :load options and remember changes" do
+    expect(@controller_class.cancan_skipper).to eq({:authorize => {}, :load => {}})
+    @controller_class.cancan_skipper[:load] = true
+    expect(@controller_class.cancan_skipper[:load]).to be_true
+  end
+
+  it "skip_authorize_resource adds itself to the cancan skipper with given model name and options" do
+    @controller_class.skip_authorize_resource(:project, :only => [:index, :show])
+    expect(@controller_class.cancan_skipper[:authorize][:project]).to eq({:only => [:index, :show]})
+    @controller_class.skip_authorize_resource(:only => [:index, :show])
+    expect(@controller_class.cancan_skipper[:authorize][nil]).to eq({:only => [:index, :show]})
+    @controller_class.skip_authorize_resource(:article)
+    expect(@controller_class.cancan_skipper[:authorize][:article]).to eq({})
+  end
+
+  it "skip_load_resource adds itself to the cancan skipper with given model name and options" do
+    @controller_class.skip_load_resource(:project, :only => [:index, :show])
+    expect(@controller_class.cancan_skipper[:load][:project]).to eq({:only => [:index, :show]})
+    @controller_class.skip_load_resource(:only => [:index, :show])
+    expect(@controller_class.cancan_skipper[:load][nil]).to eq({:only => [:index, :show]})
+    @controller_class.skip_load_resource(:article)
+    expect(@controller_class.cancan_skipper[:load][:article]).to eq({})
+  end
+
+  it "skip_load_and_authore_resource adds itself to the cancan skipper with given model name and options" do
+    @controller_class.skip_load_and_authorize_resource(:project, :only => [:index, :show])
+    expect(@controller_class.cancan_skipper[:load][:project]).to eq({:only => [:index, :show]})
+    expect(@controller_class.cancan_skipper[:authorize][:project]).to eq({:only => [:index, :show]})
+  end
+end

data/spec/cancan/controller_resource_spec.rb

@@ -0,0 +1,553 @@
+require "spec_helper"
+
+describe CanCan::ControllerResource do
+  before(:each) do
+    @params = HashWithIndifferentAccess.new(:controller => "projects")
+    @controller_class = Class.new
+    @controller = @controller_class.new
+    @ability = Ability.new(nil)
+    allow(@controller).to receive(:params) { @params }
+    allow(@controller).to receive(:current_ability) { @ability }
+    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {}, :load => {}} }
+  end
+
+  it "loads the resource into an instance variable if params[:id] is specified" do
+    project = Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "does not load resource into an instance variable if already set" do
+    @params.merge!(:action => "show", :id => "123")
+    @controller.instance_variable_set(:@project, :some_project)
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "loads resource for namespaced controller" do
+    project = Project.create!
+    @params.merge!(:controller => "admin/projects", :action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "attempts to load a resource with the same namespace as the controller when using :: for namespace" do
+    module MyEngine
+      class Project < ::Project; end
+    end
+
+    project = MyEngine::Project.create!
+    @params.merge!(:controller => "MyEngine::ProjectsController", :action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  # Rails includes namespace in params, see issue #349
+  it "creates through the namespaced params" do
+    module MyEngine
+      class Project < ::Project; end
+    end
+
+    @params.merge!(:controller => "MyEngine::ProjectsController", :action => "create", :my_engine_project => {:name => "foobar"})
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
+  end
+
+  it "loads resource for namespaced controller when using '::' for namespace" do
+    project = Project.create!
+    @params.merge!(:controller => "Admin::ProjectsController", :action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "has the specified nested resource_class when using / for namespace" do
+    module Admin
+      class Dashboard; end
+    end
+    @ability.can(:index, "admin/dashboard")
+    @params.merge!(:controller => "admin/dashboard", :action => "index")
+    resource = CanCan::ControllerResource.new(@controller, :authorize => true)
+    expect(resource.send(:resource_class)).to eq(Admin::Dashboard)
+  end
+
+  it "builds a new resource with hash if params[:id] is not specified" do
+    @params.merge!(:action => "create", :project => {:name => "foobar"})
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
+  end
+
+  it "builds a new resource for namespaced model with hash if params[:id] is not specified" do
+    @params.merge!(:action => "create", 'sub_project' => {:name => "foobar"})
+    resource = CanCan::ControllerResource.new(@controller, :class => ::Sub::Project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
+  end
+
+  it "builds a new resource for namespaced controller and namespaced model with hash if params[:id] is not specified" do
+    @params.merge!(:controller => "Admin::SubProjectsController", :action => "create", 'sub_project' => {:name => "foobar"})
+    resource = CanCan::ControllerResource.new(@controller, :class => Project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@sub_project).name).to eq("foobar")
+  end
+
+  it "builds a new resource with attributes from current ability" do
+    @params.merge!(:action => "new")
+    @ability.can(:create, Project, :name => "from conditions")
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("from conditions")
+  end
+
+  it "overrides initial attributes with params" do
+    @params.merge!(:action => "new", :project => {:name => "from params"})
+    @ability.can(:create, Project, :name => "from conditions")
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("from params")
+  end
+
+  it "builds a collection when on index action when class responds to accessible_by" do
+    allow(Project).to receive(:accessible_by).with(@ability, :index) { :found_projects }
+    @params[:action] = "index"
+    resource = CanCan::ControllerResource.new(@controller, :project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+    expect(@controller.instance_variable_get(:@projects)).to eq(:found_projects)
+  end
+
+  it "does not build a collection when on index action when class does not respond to accessible_by" do
+    @params[:action] = "index"
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+    expect(@controller.instance_variable_defined?(:@projects)).to be_false
+  end
+
+  it "does not use accessible_by when defining abilities through a block" do
+    allow(Project).to receive(:accessible_by).with(@ability) { :found_projects }
+    @params[:action] = "index"
+    @ability.can(:read, Project) { |p| false }
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+    expect(@controller.instance_variable_defined?(:@projects)).to be_false
+  end
+
+  it "does not authorize single resource in collection action" do
+    @params[:action] = "index"
+    @controller.instance_variable_set(:@project, :some_project)
+    allow(@controller).to receive(:authorize!).with(:index, Project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller)
+    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "authorizes parent resource in collection action" do
+    @params[:action] = "index"
+    @controller.instance_variable_set(:@category, :some_category)
+    allow(@controller).to receive(:authorize!).with(:show, :some_category) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
+    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "performs authorization using controller action and loaded model" do
+    @params.merge!(:action => "show", :id => "123")
+    @controller.instance_variable_set(:@project, :some_project)
+    allow(@controller).to receive(:authorize!).with(:show, :some_project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller)
+    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "performs authorization using controller action and non loaded model" do
+    @params.merge!(:action => "show", :id => "123")
+    allow(@controller).to receive(:authorize!).with(:show, Project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller)
+    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "calls load_resource and authorize_resource for load_and_authorize_resource" do
+    @params.merge!(:action => "show", :id => "123")
+    resource = CanCan::ControllerResource.new(@controller)
+    expect(resource).to receive(:load_resource)
+    expect(resource).to receive(:authorize_resource)
+    resource.load_and_authorize_resource
+  end
+
+  it "does not build a single resource when on custom collection action even with id" do
+    @params.merge!(:action => "sort", :id => "123")
+    resource = CanCan::ControllerResource.new(@controller, :collection => [:sort, :list])
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+  end
+
+  it "loads a collection resource when on custom action with no id param" do
+    allow(Project).to receive(:accessible_by).with(@ability, :sort) { :found_projects }
+    @params[:action] = "sort"
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+    expect(@controller.instance_variable_get(:@projects)).to eq(:found_projects)
+  end
+
+  it "builds a resource when on custom new action even when params[:id] exists" do
+    @params.merge!(:action => "build", :id => "123")
+    allow(Project).to receive(:new) { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :new => :build)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "does not try to load resource for other action if params[:id] is undefined" do
+    @params[:action] = "list"
+    resource = CanCan::ControllerResource.new(@controller)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+  end
+
+  it "is a parent resource when name is provided which doesn't match controller" do
+    resource = CanCan::ControllerResource.new(@controller, :category)
+    expect(resource).to be_parent
+  end
+
+  it "does not be a parent resource when name is provided which matches controller" do
+    resource = CanCan::ControllerResource.new(@controller, :project)
+    expect(resource).to_not be_parent
+  end
+
+  it "is parent if specified in options" do
+    resource = CanCan::ControllerResource.new(@controller, :project, {:parent => true})
+    expect(resource).to be_parent
+  end
+
+  it "does not be parent if specified in options" do
+    resource = CanCan::ControllerResource.new(@controller, :category, {:parent => false})
+    expect(resource).to_not be_parent
+  end
+
+  it "has the specified resource_class if 'name' is passed to load_resource" do
+    class Section
+    end
+
+    resource = CanCan::ControllerResource.new(@controller, :section)
+    expect(resource.send(:resource_class)).to eq(Section)
+  end
+
+  it "loads parent resource through proper id parameter" do
+    project = Project.create!
+    @params.merge!(:controller => "categories", :action => "index", :project_id => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "loads resource through the association of another parent resource using instance variable" do
+    @params.merge!(:action => "show", :id => "123")
+    category = double(:projects => {})
+    @controller.instance_variable_set(:@category, category)
+    allow(category.projects).to receive(:find).with("123") { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :through => :category)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "loads resource through the custom association name" do
+    @params.merge!(:action => "show", :id => "123")
+    category = double(:custom_projects => {})
+    @controller.instance_variable_set(:@category, category)
+    allow(category.custom_projects).to receive(:find).with("123") { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :through_association => :custom_projects)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "loads resource through the association of another parent resource using method" do
+    @params.merge!(:action => "show", :id => "123")
+    category = double(:projects => {})
+    allow(@controller).to receive(:category) { category }
+    allow(category.projects).to receive(:find).with("123") { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :through => :category)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "does not load through parent resource if instance isn't loaded when shallow" do
+    project = Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :shallow => true)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "raises AccessDenied when attempting to load resource through nil" do
+    project = Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :through => :category)
+    expect {
+      resource.load_resource
+    }.to raise_error(CanCan::AccessDenied) { |exception|
+      expect(exception.action).to eq(:show)
+      expect(exception.subject).to eq(Project)
+    }
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+  end
+
+  it "authorizes nested resource through parent association on index action" do
+    @params.merge!(:action => "index")
+    @controller.instance_variable_set(:@category, category = double)
+    allow(@controller).to receive(:authorize!).with(:index, category => Project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :through => :category)
+    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "loads through first matching if multiple are given" do
+    @params.merge!(:action => "show", :id => "123")
+    category = double(:projects => {})
+    @controller.instance_variable_set(:@category, category)
+    allow(category.projects).to receive(:find).with("123") { :some_project }
+    resource = CanCan::ControllerResource.new(@controller, :through => [:category, :user])
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "finds record through has_one association with :singleton option without id param" do
+    @params.merge!(:action => "show", :id => nil)
+    category = double(:project => :some_project)
+    @controller.instance_variable_set(:@category, category)
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+  end
+
+  it "does not build record through has_one association with :singleton option because it can cause it to delete it in the database" do
+    @params.merge!(:action => "create", :project => {:name => "foobar"})
+    category = Category.new
+    @controller.instance_variable_set(:@category, category)
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
+    expect(@controller.instance_variable_get(:@project).category).to eq(category)
+  end
+
+  it "finds record through has_one association with :singleton and :shallow options" do
+    project = Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true, :shallow => true)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "builds record through has_one association with :singleton and :shallow options" do
+    @params.merge!(:action => "create", :project => {:name => "foobar"})
+    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true, :shallow => true)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
+  end
+
+  it "only authorizes :show action on parent resource" do
+    project = Project.create!
+    @params.merge!(:action => "new", :project_id => project.id)
+    allow(@controller).to receive(:authorize!).with(:show, project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :project, :parent => true)
+    expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "loads the model using a custom class" do
+    project = Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :class => Project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "loads the model using a custom namespaced class" do
+    project = Sub::Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :class => ::Sub::Project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "authorizes based on resource name if class is false" do
+    @params.merge!(:action => "show", :id => "123")
+    allow(@controller).to receive(:authorize!).with(:show, :project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :class => false)
+    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+  end
+
+  it "loads and authorize using custom instance name" do
+    project = Project.create!
+    @params.merge!(:action => "show", :id => project.id)
+    allow(@controller).to receive(:authorize!).with(:show, project) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, :instance_name => :custom_project)
+    expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
+    expect(@controller.instance_variable_get(:@custom_project)).to eq(project)
+  end
+
+  it "loads resource using custom ID param" do
+    project = Project.create!
+    @params.merge!(:action => "show", :the_project => project.id)
+    resource = CanCan::ControllerResource.new(@controller, :id_param => :the_project)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  # CVE-2012-5664
+  it "always converts id param to string" do
+    @params.merge!(:action => "show", :the_project => { :malicious => "I am" })
+    resource = CanCan::ControllerResource.new(@controller, :id_param => :the_project)
+    expect(resource.send(:id_param).class).to eq(String)
+  end
+
+  it "should id param return nil if param is nil" do
+    @params.merge!(:action => "show", :the_project => nil)
+    resource = CanCan::ControllerResource.new(@controller, :id_param => :the_project)
+    expect(resource.send(:id_param)).to be_nil
+  end
+
+  it "loads resource using custom find_by attribute" do
+    project = Project.create!(:name => "foo")
+    @params.merge!(:action => "show", :id => "foo")
+    resource = CanCan::ControllerResource.new(@controller, :find_by => :name)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "allows full find method to be passed into find_by option" do
+    project = Project.create!(:name => "foo")
+    @params.merge!(:action => "show", :id => "foo")
+    resource = CanCan::ControllerResource.new(@controller, :find_by => :find_by_name)
+    resource.load_resource
+    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  end
+
+  it "raises ImplementationRemoved when adding :name option" do
+    expect {
+      CanCan::ControllerResource.new(@controller, :name => :foo)
+    }.to raise_error(CanCan::ImplementationRemoved)
+  end
+
+  it "raises ImplementationRemoved exception when specifying :resource option since it is no longer used" do
+    expect {
+      CanCan::ControllerResource.new(@controller, :resource => Project)
+    }.to raise_error(CanCan::ImplementationRemoved)
+  end
+
+  it "raises ImplementationRemoved exception when passing :nested option" do
+    expect {
+      CanCan::ControllerResource.new(@controller, :nested => :project)
+    }.to raise_error(CanCan::ImplementationRemoved)
+  end
+
+  it "skips resource behavior for :only actions in array" do
+    allow(@controller_class).to receive(:cancan_skipper) { {:load => {nil => {:only => [:index, :show]}}} }
+    @params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_true
+    expect(CanCan::ControllerResource.new(@controller, :some_resource).skip?(:load)).to be_false
+    @params.merge!(:action => "show")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_true
+    @params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_false
+  end
+
+  it "skips resource behavior for :only one action on resource" do
+    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {:project => {:only => :index}}} }
+    @params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:authorize)).to be_false
+    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_true
+    @params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_false
+  end
+
+  it "skips resource behavior :except actions in array" do
+    allow(@controller_class).to receive(:cancan_skipper) { {:load => {nil => {:except => [:index, :show]}}} }
+    @params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_false
+    @params.merge!(:action => "show")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_false
+    @params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_true
+    expect(CanCan::ControllerResource.new(@controller, :some_resource).skip?(:load)).to be_false
+  end
+
+  it "skips resource behavior :except one action on resource" do
+    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {:project => {:except => :index}}} }
+    @params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_false
+    @params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(@controller).skip?(:authorize)).to be_false
+    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_true
+  end
+
+  it "skips loading and authorization" do
+    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {nil => {}}, :load => {nil => {}}} }
+    @params.merge!(:action => "new")
+    resource = CanCan::ControllerResource.new(@controller)
+    expect { resource.load_and_authorize_resource }.not_to raise_error
+    expect(@controller.instance_variable_get(:@project)).to be_nil
+  end
+
+  context "with a strong parameters method" do
+
+    it "only calls the santitize method with actions matching param_actions" do
+      @params.merge!(:controller => "project", :action => "update")
+      @controller.stub(:resource_params).and_return(:resource => 'params')
+      resource = CanCan::ControllerResource.new(@controller)
+      resource.stub(:param_actions => [:create])
+
+      @controller.should_not_receive(:send).with(:resource_params)
+      resource.send("resource_params")
+    end
+
+    it "uses the specified option for santitizing input" do
+      @params.merge!(:controller => "project", :action => "create")
+      @controller.stub(:resource_params).and_return(:resource => 'params')
+      @controller.stub(:project_params).and_return(:model => 'params')
+      @controller.stub(:create_params).and_return(:create => 'params')
+      @controller.stub(:custom_params).and_return(:custom => 'params')
+      resource = CanCan::ControllerResource.new(@controller, {:param_method => :custom_params})
+      expect(resource.send("resource_params")).to eq(:custom => 'params')
+    end
+
+    it "prefers to use the create_params method for santitizing input" do
+      @params.merge!(:controller => "project", :action => "create")
+      @controller.stub(:resource_params).and_return(:resource => 'params')
+      @controller.stub(:project_params).and_return(:model => 'params')
+      @controller.stub(:create_params).and_return(:create => 'params')
+      @controller.stub(:custom_params).and_return(:custom => 'params')
+      resource = CanCan::ControllerResource.new(@controller)
+      expect(resource.send("resource_params")).to eq(:create => 'params')
+    end
+
+    it "uses the proper action param based on the action" do
+      @params.merge!(:controller => "project", :action => "update")
+      @controller.stub(:create_params).and_return(:create => 'params')
+      @controller.stub(:update_params).and_return(:update => 'params')
+      resource = CanCan::ControllerResource.new(@controller)
+      expect(resource.send("resource_params")).to eq(:update => 'params')
+    end
+
+    it "prefers to use the <model_name>_params method for santitizing input if create is not found" do
+      @params.merge!(:controller => "project", :action => "create")
+      @controller.stub(:resource_params).and_return(:resource => 'params')
+      @controller.stub(:project_params).and_return(:model => 'params')
+      @controller.stub(:custom_params).and_return(:custom => 'params')
+      resource = CanCan::ControllerResource.new(@controller)
+      expect(resource.send("resource_params")).to eq(:model => 'params')
+    end
+
+    it "prefers to use the resource_params method for santitizing input if create or model is not found" do
+      @params.merge!(:controller => "project", :action => "create")
+      @controller.stub(:resource_params).and_return(:resource => 'params')
+      @controller.stub(:custom_params).and_return(:custom => 'params')
+      resource = CanCan::ControllerResource.new(@controller)
+      expect(resource.send("resource_params")).to eq(:resource => 'params')
+    end
+  end
+end