cancancan 1.7.1 → 1.8.0

data/lib/cancan/rule.rb

@@ -99,31 +99,19 @@ module CanCan
     # override_matching_for_conditions?(subject, conditions) and
     # matches_conditions_hash?(subject, conditions)
     def matches_conditions_hash?(subject, conditions = @conditions)
-      if conditions.empty?
-        true
-      else
-        if model_adapter(subject).override_conditions_hash_matching? subject, conditions
-          model_adapter(subject).matches_conditions_hash? subject, conditions
-        else
-          conditions.all? do |name, value|
-            if model_adapter(subject).override_condition_matching? subject, name, value
-              model_adapter(subject).matches_condition? subject, name, value
-            else
-              attribute = subject.send(name)
-              if value.kind_of?(Hash)
-                if attribute.kind_of?(Array) || (defined?(ActiveRecord) && attribute.kind_of?(ActiveRecord::Relation))
-                  attribute.any? { |element| matches_conditions_hash? element, value }
-                else
-                  !attribute.nil? && matches_conditions_hash?(attribute, value)
-                end
-              elsif !value.is_a?(String) && value.kind_of?(Enumerable)
-                value.include? attribute
-              else
-                attribute == value
-              end
-            end
-          end
+      return true if conditions.empty?
+      adapter = model_adapter(subject)
+
+      if adapter.override_conditions_hash_matching?(subject, conditions)
+        return adapter.matches_conditions_hash?(subject, conditions)
+      end
+
+      conditions.all? do |name, value|
+        if adapter.override_condition_matching?(subject, name, value)
+          return adapter.matches_condition?(subject, name, value)
         end
+
+        condition_match?(subject.send(name), value)
       end
     end
 
@@ -143,5 +131,22 @@ module CanCan
     def model_adapter(subject)
       CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
     end
+
+    def condition_match?(attribute, value)
+      case value
+      when Hash       then hash_condition_match?(attribute, value)
+      when String     then attribute == value
+      when Enumerable then value.include?(attribute)
+      else attribute == value
+      end
+    end
+
+    def hash_condition_match?(attribute, value)
+      if attribute.kind_of?(Array) || (defined?(ActiveRecord) && attribute.kind_of?(ActiveRecord::Relation))
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        !attribute.nil? && matches_conditions_hash?(attribute, value)
+      end
+    end
   end
 end

data/lib/cancan/version.rb

@@ -1,3 +1,3 @@
 module CanCan
-  VERSION = "1.7.1"
+  VERSION = "1.8.0"
 end

data/lib/cancancan.rb

@@ -1 +1,4 @@
 require 'cancan'
+
+module CanCanCan
+end

data/spec/cancan/ability_spec.rb

@@ -147,11 +147,21 @@ describe CanCan::Ability do
     expect(@ability.can?(:update, 123)).to be_false
   end
 
+  it "checks if there is a permission for any of given subjects" do
+    @ability.can :update, [String, Range]
+    expect(@ability.can?(:update, {:any => ["foo", 1..3]})).to be_true
+    expect(@ability.can?(:update, {:any => [1..3, "foo"]})).to be_true
+    expect(@ability.can?(:update, {:any => [123, "foo"]})).to be_true
+    expect(@ability.can?(:update, {:any => [123, 1.0]})).to be_false
+  end
+
   it "supports custom objects in the rule" do
     @ability.can :read, :stats
     expect(@ability.can?(:read, :stats)).to be_true
     expect(@ability.can?(:update, :stats)).to be_false
     expect(@ability.can?(:read, :nonstats)).to be_false
+    expect(@ability.can?(:read, {:any => [:stats, :nonstats]})).to be_true
+    expect(@ability.can?(:read, {:any => [:nonstats, :neitherstats]})).to be_false
   end
 
   it "checks ancestors of class" do
@@ -159,6 +169,7 @@ describe CanCan::Ability do
     expect(@ability.can?(:read, Integer)).to be_true
     expect(@ability.can?(:read, 1.23)).to be_true
     expect(@ability.can?(:read, "foo")).to be_false
+    expect(@ability.can?(:read, {:any => [Integer, String]})).to be_true
   end
 
   it "supports 'cannot' method to define what user cannot do" do
@@ -166,6 +177,9 @@ describe CanCan::Ability do
     @ability.cannot :read, Integer
     expect(@ability.can?(:read, "foo")).to be_true
     expect(@ability.can?(:read, 123)).to be_false
+    expect(@ability.can?(:read, {:any => ["foo", "bar"]})).to be_true
+    expect(@ability.can?(:read, {:any => [123, "foo"]})).to be_false
+    expect(@ability.can?(:read, {:any => [123, 456]})).to be_false
   end
 
   it "passes to previous rule, if block returns false or nil" do
@@ -177,6 +191,8 @@ describe CanCan::Ability do
     expect(@ability.can?(:read, 3)).to be_true
     expect(@ability.can?(:read, 8)).to be_false
     expect(@ability.can?(:read, 123)).to be_true
+    expect(@ability.can?(:read, {:any => [123, 8]})).to be_true
+    expect(@ability.can?(:read, {:any => [8, 9]})).to be_false
   end
 
   it "always returns `false` for single cannot definition" do
@@ -218,6 +234,8 @@ describe CanCan::Ability do
     end
     expect(@ability.can?(:read, 2, 1)).to be_true
     expect(@ability.can?(:read, 2, 3)).to be_false
+    expect(@ability.can?(:read, {:any => [4, 5]}, 3)).to be_true
+    expect(@ability.can?(:read, {:any => [2, 3]}, 3)).to be_false
   end
 
   it "uses conditions as third parameter and determine abilities from it" do
@@ -225,6 +243,8 @@ describe CanCan::Ability do
     expect(@ability.can?(:read, 1..3)).to be_true
     expect(@ability.can?(:read, 1..4)).to be_false
     expect(@ability.can?(:read, Range)).to be_true
+    expect(@ability.can?(:read, {:any => [1..3, 1..4]})).to be_true
+    expect(@ability.can?(:read, {:any => [1..4, 2..4]})).to be_false
   end
 
   it "allows an array of options in conditions hash" do
@@ -232,6 +252,8 @@ describe CanCan::Ability do
     expect(@ability.can?(:read, 1..3)).to be_true
     expect(@ability.can?(:read, 2..4)).to be_false
     expect(@ability.can?(:read, 3..5)).to be_true
+    expect(@ability.can?(:read, {:any => [2..4, 3..5]})).to be_true
+    expect(@ability.can?(:read, {:any => [2..4, 2..5]})).to be_false
   end
 
   it "allows a range of options in conditions hash" do
@@ -313,6 +335,8 @@ describe CanCan::Ability do
     expect(@ability.can?(:read, "foo" => Range)).to be_true
     expect(@ability.can?(:read, "foobar" => Range)).to be_false
     expect(@ability.can?(:read, 123 => Range)).to be_true
+    expect(@ability.can?(:read, {:any => [{"foo" => Range}, {"foobar" => Range}]})).to be_true
+    expect(@ability.can?(:read, {:any => [{"food" => Range}, {"foobar" => Range}]})).to be_false
   end
 
   it "checks permissions correctly when passing a hash of subjects with multiple definitions" do
@@ -321,6 +345,8 @@ describe CanCan::Ability do
     expect(@ability.can?(:read, "foo" => Range)).to be_true
     expect(@ability.can?(:read, "foobar" => Range)).to be_false
     expect(@ability.can?(:read, 1234 => Range)).to be_true
+    expect(@ability.can?(:read, {:any => [{"foo" => Range}, {"foobar" => Range}]})).to be_true
+    expect(@ability.can?(:read, {:any => [{"foo.bar" => Range}, {"foobar" => Range}]})).to be_false
   end
 
   it "allows to check ability on Hash-like object" do

data/spec/cancan/controller_resource_spec.rb

@@ -1,553 +1,626 @@
 require "spec_helper"
 
 describe CanCan::ControllerResource do
+  let(:ability) { Ability.new(nil) }
+  let(:params) { HashWithIndifferentAccess.new(:controller => "models") }
+  let(:controller_class) { Class.new }
+  let(:controller) { controller_class.new }
+
   before(:each) do
-    @params = HashWithIndifferentAccess.new(:controller => "projects")
-    @controller_class = Class.new
-    @controller = @controller_class.new
-    @ability = Ability.new(nil)
-    allow(@controller).to receive(:params) { @params }
-    allow(@controller).to receive(:current_ability) { @ability }
-    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {}, :load => {}} }
-  end
+    class Model
+      attr_accessor :name
+
+      def initialize(attributes={})
+        attributes.each do |attribute, value|
+          send("#{attribute}=", value)
+        end
+      end
+    end
 
-  it "loads the resource into an instance variable if params[:id] is specified" do
-    project = Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
+    allow(controller).to receive(:params) { params }
+    allow(controller).to receive(:current_ability) { ability }
+    allow(controller_class).to receive(:cancan_skipper) { {:authorize => {}, :load => {}} }
   end
 
-  it "does not load resource into an instance variable if already set" do
-    @params.merge!(:action => "show", :id => "123")
-    @controller.instance_variable_set(:@project, :some_project)
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
-  end
+  context "on build actions" do
+    before :each do
+      params.merge!(:action => "new")
+    end
 
-  it "loads resource for namespaced controller" do
-    project = Project.create!
-    @params.merge!(:controller => "admin/projects", :action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+    it "builds a new resource with attributes from current ability" do
+      ability.can(:create, Model, :name => "from conditions")
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("from conditions")
+    end
+
+    it "overrides initial attributes with params" do
+      params.merge!(:model => {:name => "from params"})
+      ability.can(:create, Model, :name => "from conditions")
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("from params")
+    end
 
-  it "attempts to load a resource with the same namespace as the controller when using :: for namespace" do
-    module MyEngine
-      class Project < ::Project; end
+    it "builds a resource when on custom new action even when params[:id] exists" do
+      params.merge!(:action => "build", :id => "123")
+      allow(Model).to receive(:new) { :some_model }
+      resource = CanCan::ControllerResource.new(controller, :new => :build)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
     end
 
-    project = MyEngine::Project.create!
-    @params.merge!(:controller => "MyEngine::ProjectsController", :action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
+    it "only authorizes :show action on parent resource" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+
+      params.merge!(:model_id => 123)
+      allow(controller).to receive(:authorize!).with(:show, model) { raise CanCan::AccessDenied }
+      resource = CanCan::ControllerResource.new(controller, :model, :parent => true)
+      expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
   end
 
-  # Rails includes namespace in params, see issue #349
-  it "creates through the namespaced params" do
-    module MyEngine
-      class Project < ::Project; end
+  context "on create actions" do
+    before :each do
+      params.merge!(:action => 'create')
     end
 
-    @params.merge!(:controller => "MyEngine::ProjectsController", :action => "create", :my_engine_project => {:name => "foobar"})
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
-  end
+    # Rails includes namespace in params, see issue #349
+    it "creates through the namespaced params" do
+      module MyEngine
+        class Model < ::Model; end
+      end
 
-  it "loads resource for namespaced controller when using '::' for namespace" do
-    project = Project.create!
-    @params.merge!(:controller => "Admin::ProjectsController", :action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+      params.merge!(:controller => "MyEngine::ModelsController", :my_engine_model => {:name => "foobar"})
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("foobar")
+    end
 
-  it "has the specified nested resource_class when using / for namespace" do
-    module Admin
-      class Dashboard; end
+    it "builds a new resource with hash if params[:id] is not specified" do
+      params.merge!(:model => {:name => "foobar"})
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("foobar")
     end
-    @ability.can(:index, "admin/dashboard")
-    @params.merge!(:controller => "admin/dashboard", :action => "index")
-    resource = CanCan::ControllerResource.new(@controller, :authorize => true)
-    expect(resource.send(:resource_class)).to eq(Admin::Dashboard)
-  end
 
-  it "builds a new resource with hash if params[:id] is not specified" do
-    @params.merge!(:action => "create", :project => {:name => "foobar"})
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
-  end
+    it "builds a new resource for namespaced model with hash if params[:id] is not specified" do
+      module Sub
+        class Model < ::Model; end
+      end
 
-  it "builds a new resource for namespaced model with hash if params[:id] is not specified" do
-    @params.merge!(:action => "create", 'sub_project' => {:name => "foobar"})
-    resource = CanCan::ControllerResource.new(@controller, :class => ::Sub::Project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
-  end
+      params.merge!('sub_model' => {:name => "foobar"})
+      resource = CanCan::ControllerResource.new(controller, :class => ::Sub::Model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("foobar")
+    end
 
-  it "builds a new resource for namespaced controller and namespaced model with hash if params[:id] is not specified" do
-    @params.merge!(:controller => "Admin::SubProjectsController", :action => "create", 'sub_project' => {:name => "foobar"})
-    resource = CanCan::ControllerResource.new(@controller, :class => Project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@sub_project).name).to eq("foobar")
-  end
+    it "builds a new resource for namespaced controller and namespaced model with hash if params[:id] is not specified" do
+      params.merge!(:controller => "Admin::SubModelsController", 'sub_model' => {:name => "foobar"})
+      resource = CanCan::ControllerResource.new(controller, :class => Model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@sub_model).name).to eq("foobar")
+    end
 
-  it "builds a new resource with attributes from current ability" do
-    @params.merge!(:action => "new")
-    @ability.can(:create, Project, :name => "from conditions")
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("from conditions")
-  end
+    it "does not build record through has_one association with :singleton option because it can cause it to delete it in the database" do
+      category = Class.new
+      allow_any_instance_of(Model).to receive('category=').with(category)
+      allow_any_instance_of(Model).to receive('category') { category }
 
-  it "overrides initial attributes with params" do
-    @params.merge!(:action => "new", :project => {:name => "from params"})
-    @ability.can(:create, Project, :name => "from conditions")
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("from params")
-  end
+      params.merge!(:model => {:name => "foobar"})
 
-  it "builds a collection when on index action when class responds to accessible_by" do
-    allow(Project).to receive(:accessible_by).with(@ability, :index) { :found_projects }
-    @params[:action] = "index"
-    resource = CanCan::ControllerResource.new(@controller, :project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-    expect(@controller.instance_variable_get(:@projects)).to eq(:found_projects)
-  end
+      controller.instance_variable_set(:@category, category)
+      resource = CanCan::ControllerResource.new(controller, :through => :category, :singleton => true)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("foobar")
+      expect(controller.instance_variable_get(:@model).category).to eq(category)
+    end
 
-  it "does not build a collection when on index action when class does not respond to accessible_by" do
-    @params[:action] = "index"
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-    expect(@controller.instance_variable_defined?(:@projects)).to be_false
-  end
+    it "builds record through has_one association with :singleton and :shallow options" do
+      params.merge!(:model => {:name => "foobar"})
+      resource = CanCan::ControllerResource.new(controller, :through => :category, :singleton => true, :shallow => true)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model).name).to eq("foobar")
+    end
 
-  it "does not use accessible_by when defining abilities through a block" do
-    allow(Project).to receive(:accessible_by).with(@ability) { :found_projects }
-    @params[:action] = "index"
-    @ability.can(:read, Project) { |p| false }
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-    expect(@controller.instance_variable_defined?(:@projects)).to be_false
+    context "with a strong parameters method" do
+      it "accepts and uses the specified symbol for santitizing input" do
+        params.merge!(:controller => "model")
+        controller.stub(:resource_params).and_return(:resource => 'params')
+        controller.stub(:model_params).and_return(:model => 'params')
+        controller.stub(:create_params).and_return(:create => 'params')
+        controller.stub(:custom_params).and_return(:custom => 'params')
+        resource = CanCan::ControllerResource.new(controller, {:param_method => :custom_params})
+        expect(resource.send("resource_params")).to eq(:custom => 'params')
+      end
+
+      it "accepts the specified string for sanitizing input" do
+        params.merge!(:controller => "model")
+        resource = CanCan::ControllerResource.new(controller, {:param_method => "{:custom => 'params'}"})
+        expect(resource.send("resource_params")).to eq(:custom => 'params')
+      end
+
+      it "accepts the specified proc for sanitizing input" do
+        params.merge!(:controller => "model")
+        resource = CanCan::ControllerResource.new(controller, {:param_method => Proc.new { |c| {:custom => 'params'}}})
+        expect(resource.send("resource_params")).to eq(:custom => 'params')
+      end
+
+      it "prefers to use the create_params method for santitizing input" do
+        params.merge!(:controller => "model")
+        controller.stub(:resource_params).and_return(:resource => 'params')
+        controller.stub(:model_params).and_return(:model => 'params')
+        controller.stub(:create_params).and_return(:create => 'params')
+        controller.stub(:custom_params).and_return(:custom => 'params')
+        resource = CanCan::ControllerResource.new(controller)
+        expect(resource.send("resource_params")).to eq(:create => 'params')
+      end
+
+      it "prefers to use the <model_name>_params method for santitizing input if create is not found" do
+        params.merge!(:controller => "model")
+        controller.stub(:resource_params).and_return(:resource => 'params')
+        controller.stub(:model_params).and_return(:model => 'params')
+        controller.stub(:custom_params).and_return(:custom => 'params')
+        resource = CanCan::ControllerResource.new(controller)
+        expect(resource.send("resource_params")).to eq(:model => 'params')
+      end
+
+      it "prefers to use the resource_params method for santitizing input if create or model is not found" do
+        params.merge!(:controller => "model")
+        controller.stub(:resource_params).and_return(:resource => 'params')
+        controller.stub(:custom_params).and_return(:custom => 'params')
+        resource = CanCan::ControllerResource.new(controller)
+        expect(resource.send("resource_params")).to eq(:resource => 'params')
+      end
+    end
   end
 
-  it "does not authorize single resource in collection action" do
-    @params[:action] = "index"
-    @controller.instance_variable_set(:@project, :some_project)
-    allow(@controller).to receive(:authorize!).with(:index, Project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller)
-    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
-  end
+  context "on collection actions" do
+    before :each do
+      params[:action] = 'index'
+    end
 
-  it "authorizes parent resource in collection action" do
-    @params[:action] = "index"
-    @controller.instance_variable_set(:@category, :some_category)
-    allow(@controller).to receive(:authorize!).with(:show, :some_category) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller, :category, :parent => true)
-    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
-  end
+    it "builds a collection when on index action when class responds to accessible_by" do
+      allow(Model).to receive(:accessible_by).with(ability, :index) { :found_models }
 
-  it "performs authorization using controller action and loaded model" do
-    @params.merge!(:action => "show", :id => "123")
-    @controller.instance_variable_set(:@project, :some_project)
-    allow(@controller).to receive(:authorize!).with(:show, :some_project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller)
-    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
-  end
+      resource = CanCan::ControllerResource.new(controller, :model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to be_nil
+      expect(controller.instance_variable_get(:@models)).to eq(:found_models)
+    end
 
-  it "performs authorization using controller action and non loaded model" do
-    @params.merge!(:action => "show", :id => "123")
-    allow(@controller).to receive(:authorize!).with(:show, Project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller)
-    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
-  end
+    it "does not build a collection when on index action when class does not respond to accessible_by" do
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to be_nil
+      expect(controller.instance_variable_defined?(:@models)).to be_false
+    end
 
-  it "calls load_resource and authorize_resource for load_and_authorize_resource" do
-    @params.merge!(:action => "show", :id => "123")
-    resource = CanCan::ControllerResource.new(@controller)
-    expect(resource).to receive(:load_resource)
-    expect(resource).to receive(:authorize_resource)
-    resource.load_and_authorize_resource
-  end
+    it "does not use accessible_by when defining abilities through a block" do
+      allow(Model).to receive(:accessible_by).with(ability) { :found_models }
 
-  it "does not build a single resource when on custom collection action even with id" do
-    @params.merge!(:action => "sort", :id => "123")
-    resource = CanCan::ControllerResource.new(@controller, :collection => [:sort, :list])
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-  end
+      ability.can(:read, Model) { |p| false }
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to be_nil
+      expect(controller.instance_variable_defined?(:@models)).to be_false
+    end
 
-  it "loads a collection resource when on custom action with no id param" do
-    allow(Project).to receive(:accessible_by).with(@ability, :sort) { :found_projects }
-    @params[:action] = "sort"
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-    expect(@controller.instance_variable_get(:@projects)).to eq(:found_projects)
-  end
+    it "does not authorize single resource in collection action" do
+      allow(controller).to receive(:authorize!).with(:index, Model) { raise CanCan::AccessDenied }
+      resource = CanCan::ControllerResource.new(controller)
 
-  it "builds a resource when on custom new action even when params[:id] exists" do
-    @params.merge!(:action => "build", :id => "123")
-    allow(Project).to receive(:new) { :some_project }
-    resource = CanCan::ControllerResource.new(@controller, :new => :build)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
-  end
+      expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
 
-  it "does not try to load resource for other action if params[:id] is undefined" do
-    @params[:action] = "list"
-    resource = CanCan::ControllerResource.new(@controller)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-  end
+    it "authorizes parent resource in collection action" do
+      controller.instance_variable_set(:@category, :some_category)
+      allow(controller).to receive(:authorize!).with(:show, :some_category) { raise CanCan::AccessDenied }
 
-  it "is a parent resource when name is provided which doesn't match controller" do
-    resource = CanCan::ControllerResource.new(@controller, :category)
-    expect(resource).to be_parent
-  end
+      resource = CanCan::ControllerResource.new(controller, :category, :parent => true)
+      expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
 
-  it "does not be a parent resource when name is provided which matches controller" do
-    resource = CanCan::ControllerResource.new(@controller, :project)
-    expect(resource).to_not be_parent
-  end
+    it "has the specified nested resource_class when using / for namespace" do
+      module Admin
+        class Dashboard; end
+      end
+      ability.can(:index, "admin/dashboard")
+      params.merge!(:controller => "admin/dashboard")
+      resource = CanCan::ControllerResource.new(controller, :authorize => true)
+      expect(resource.send(:resource_class)).to eq(Admin::Dashboard)
+    end
 
-  it "is parent if specified in options" do
-    resource = CanCan::ControllerResource.new(@controller, :project, {:parent => true})
-    expect(resource).to be_parent
-  end
+    it "does not build a single resource when on custom collection action even with id" do
+      params.merge!(:action => "sort", :id => "123")
 
-  it "does not be parent if specified in options" do
-    resource = CanCan::ControllerResource.new(@controller, :category, {:parent => false})
-    expect(resource).to_not be_parent
-  end
+      resource = CanCan::ControllerResource.new(controller, :collection => [:sort, :list])
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to be_nil
+    end
 
-  it "has the specified resource_class if 'name' is passed to load_resource" do
-    class Section
+    it "loads a collection resource when on custom action with no id param" do
+      allow(Model).to receive(:accessible_by).with(ability, :sort) { :found_models }
+      params[:action] = "sort"
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to be_nil
+      expect(controller.instance_variable_get(:@models)).to eq(:found_models)
     end
 
-    resource = CanCan::ControllerResource.new(@controller, :section)
-    expect(resource.send(:resource_class)).to eq(Section)
-  end
+    it "loads parent resource through proper id parameter" do
+      model = Model.new
+      allow(Model).to receive(:find).with("1") { model }
 
-  it "loads parent resource through proper id parameter" do
-    project = Project.create!
-    @params.merge!(:controller => "categories", :action => "index", :project_id => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+      params.merge!(:controller => "categories", :model_id => 1)
+      resource = CanCan::ControllerResource.new(controller, :model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
 
-  it "loads resource through the association of another parent resource using instance variable" do
-    @params.merge!(:action => "show", :id => "123")
-    category = double(:projects => {})
-    @controller.instance_variable_set(:@category, category)
-    allow(category.projects).to receive(:find).with("123") { :some_project }
-    resource = CanCan::ControllerResource.new(@controller, :through => :category)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
+    it "authorizes nested resource through parent association on index action" do
+      controller.instance_variable_set(:@category, category = double)
+      allow(controller).to receive(:authorize!).with(:index, category => Model) { raise CanCan::AccessDenied }
+      resource = CanCan::ControllerResource.new(controller, :through => :category)
+      expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
   end
 
-  it "loads resource through the custom association name" do
-    @params.merge!(:action => "show", :id => "123")
-    category = double(:custom_projects => {})
-    @controller.instance_variable_set(:@category, category)
-    allow(category.custom_projects).to receive(:find).with("123") { :some_project }
-    resource = CanCan::ControllerResource.new(@controller, :through => :category, :through_association => :custom_projects)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
-  end
+  context "on instance read actions" do
+    before :each do
+      params.merge!(:action => "show", :id => "123")
+    end
 
-  it "loads resource through the association of another parent resource using method" do
-    @params.merge!(:action => "show", :id => "123")
-    category = double(:projects => {})
-    allow(@controller).to receive(:category) { category }
-    allow(category.projects).to receive(:find).with("123") { :some_project }
-    resource = CanCan::ControllerResource.new(@controller, :through => :category)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
-  end
+    it "loads the resource into an instance variable if params[:id] is specified" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
 
-  it "does not load through parent resource if instance isn't loaded when shallow" do
-    project = Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :through => :category, :shallow => true)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
 
-  it "raises AccessDenied when attempting to load resource through nil" do
-    project = Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :through => :category)
-    expect {
+    it "does not load resource into an instance variable if already set" do
+      controller.instance_variable_set(:@model, :some_model)
+      resource = CanCan::ControllerResource.new(controller)
       resource.load_resource
-    }.to raise_error(CanCan::AccessDenied) { |exception|
-      expect(exception.action).to eq(:show)
-      expect(exception.subject).to eq(Project)
-    }
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-  end
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
+    end
 
-  it "authorizes nested resource through parent association on index action" do
-    @params.merge!(:action => "index")
-    @controller.instance_variable_set(:@category, category = double)
-    allow(@controller).to receive(:authorize!).with(:index, category => Project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller, :through => :category)
-    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
-  end
+    it "loads resource for namespaced controller" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+      params.merge!(:controller => "admin/models")
 
-  it "loads through first matching if multiple are given" do
-    @params.merge!(:action => "show", :id => "123")
-    category = double(:projects => {})
-    @controller.instance_variable_set(:@category, category)
-    allow(category.projects).to receive(:find).with("123") { :some_project }
-    resource = CanCan::ControllerResource.new(@controller, :through => [:category, :user])
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
-  end
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
 
-  it "finds record through has_one association with :singleton option without id param" do
-    @params.merge!(:action => "show", :id => nil)
-    category = double(:project => :some_project)
-    @controller.instance_variable_set(:@category, category)
-    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(:some_project)
-  end
+    it "attempts to load a resource with the same namespace as the controller when using :: for namespace" do
+      module MyEngine
+        class Model < ::Model; end
+      end
 
-  it "does not build record through has_one association with :singleton option because it can cause it to delete it in the database" do
-    @params.merge!(:action => "create", :project => {:name => "foobar"})
-    category = Category.new
-    @controller.instance_variable_set(:@category, category)
-    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
-    expect(@controller.instance_variable_get(:@project).category).to eq(category)
-  end
+      model = MyEngine::Model.new
+      allow(MyEngine::Model).to receive(:find).with("123") { model }
 
-  it "finds record through has_one association with :singleton and :shallow options" do
-    project = Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true, :shallow => true)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+      params.merge!(:controller => "MyEngine::ModelsController")
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
 
-  it "builds record through has_one association with :singleton and :shallow options" do
-    @params.merge!(:action => "create", :project => {:name => "foobar"})
-    resource = CanCan::ControllerResource.new(@controller, :through => :category, :singleton => true, :shallow => true)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project).name).to eq("foobar")
-  end
+    it "loads resource for namespaced controller when using '::' for namespace" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
 
-  it "only authorizes :show action on parent resource" do
-    project = Project.create!
-    @params.merge!(:action => "new", :project_id => project.id)
-    allow(@controller).to receive(:authorize!).with(:show, project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller, :project, :parent => true)
-    expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
-  end
+      params.merge!(:controller => "Admin::ModelsController")
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
 
-  it "loads the model using a custom class" do
-    project = Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :class => Project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+    it "performs authorization using controller action and loaded model" do
+      controller.instance_variable_set(:@model, :some_model)
+      allow(controller).to receive(:authorize!).with(:show, :some_model) { raise CanCan::AccessDenied }
 
-  it "loads the model using a custom namespaced class" do
-    project = Sub::Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :class => ::Sub::Project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
-  end
+      resource = CanCan::ControllerResource.new(controller)
+      expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
+
+    it "performs authorization using controller action and non loaded model" do
+      allow(controller).to receive(:authorize!).with(:show, Model) { raise CanCan::AccessDenied }
+      resource = CanCan::ControllerResource.new(controller)
+      expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
+
+    it "calls load_resource and authorize_resource for load_and_authorize_resource" do
+      resource = CanCan::ControllerResource.new(controller)
+      expect(resource).to receive(:load_resource)
+      expect(resource).to receive(:authorize_resource)
+      resource.load_and_authorize_resource
+    end
+
+    it "loads resource through the association of another parent resource using instance variable" do
+      category = double(:models => {})
+      controller.instance_variable_set(:@category, category)
+      allow(category.models).to receive(:find).with("123") { :some_model }
+      resource = CanCan::ControllerResource.new(controller, :through => :category)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
+    end
+
+    it "loads resource through the custom association name" do
+      category = double(:custom_models => {})
+      controller.instance_variable_set(:@category, category)
+      allow(category.custom_models).to receive(:find).with("123") { :some_model }
+      resource = CanCan::ControllerResource.new(controller, :through => :category, :through_association => :custom_models)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
+    end
+
+    it "loads resource through the association of another parent resource using method" do
+      category = double(:models => {})
+      allow(controller).to receive(:category) { category }
+      allow(category.models).to receive(:find).with("123") { :some_model }
+      resource = CanCan::ControllerResource.new(controller, :through => :category)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
+    end
+
+    it "does not load through parent resource if instance isn't loaded when shallow" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+
+      resource = CanCan::ControllerResource.new(controller, :through => :category, :shallow => true)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
+
+    it "raises AccessDenied when attempting to load resource through nil" do
+      resource = CanCan::ControllerResource.new(controller, :through => :category)
+      expect {
+        resource.load_resource
+      }.to raise_error(CanCan::AccessDenied) { |exception|
+        expect(exception.action).to eq(:show)
+        expect(exception.subject).to eq(Model)
+      }
+      expect(controller.instance_variable_get(:@model)).to be_nil
+    end
+
+    it "loads through first matching if multiple are given" do
+      category = double(:models => {})
+      controller.instance_variable_set(:@category, category)
+      allow(category.models).to receive(:find).with("123") { :some_model }
+
+      resource = CanCan::ControllerResource.new(controller, :through => [:category, :user])
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
+    end
+
+    it "finds record through has_one association with :singleton option without id param" do
+      params.merge!(:id => nil)
+
+      category = double(:model => :some_model)
+      controller.instance_variable_set(:@category, category)
+      resource = CanCan::ControllerResource.new(controller, :through => :category, :singleton => true)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(:some_model)
+    end
+
+    it "does not try to load resource for other action if params[:id] is undefined" do
+      params.merge!(:action => 'list', :id => nil)
+      resource = CanCan::ControllerResource.new(controller)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to be_nil
+    end
+
+    it "finds record through has_one association with :singleton and :shallow options" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+
+      resource = CanCan::ControllerResource.new(controller, :through => :category, :singleton => true, :shallow => true)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
+
+    it "loads the model using a custom class" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+
+      resource = CanCan::ControllerResource.new(controller, :class => Model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
+
+    it "loads the model using a custom namespaced class" do
+      module Sub
+        class Model < ::Model; end
+      end
+
+      model = Sub::Model.new
+      allow(Sub::Model).to receive(:find).with("123") { model }
+
+      resource = CanCan::ControllerResource.new(controller, :class => ::Sub::Model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
 
-  it "authorizes based on resource name if class is false" do
-    @params.merge!(:action => "show", :id => "123")
-    allow(@controller).to receive(:authorize!).with(:show, :project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller, :class => false)
-    expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    it "authorizes based on resource name if class is false" do
+      allow(controller).to receive(:authorize!).with(:show, :model) { raise CanCan::AccessDenied }
+      resource = CanCan::ControllerResource.new(controller, :class => false)
+      expect { resource.authorize_resource }.to raise_error(CanCan::AccessDenied)
+    end
+
+    it "loads and authorize using custom instance name" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+
+      allow(controller).to receive(:authorize!).with(:show, model) { raise CanCan::AccessDenied }
+      resource = CanCan::ControllerResource.new(controller, :instance_name => :custom_model)
+      expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
+      expect(controller.instance_variable_get(:@custom_model)).to eq(model)
+    end
+
+    it "loads resource using custom ID param" do
+      model = Model.new
+      allow(Model).to receive(:find).with("123") { model }
+
+      params.merge!(:the_model => 123)
+      resource = CanCan::ControllerResource.new(controller, :id_param => :the_model)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
+
+    # CVE-2012-5664
+    it "always converts id param to string" do
+      params.merge!(:the_model => { :malicious => "I am" })
+      resource = CanCan::ControllerResource.new(controller, :id_param => :the_model)
+      expect(resource.send(:id_param).class).to eq(String)
+    end
+
+    it "should id param return nil if param is nil" do
+      params.merge!(:the_model => nil)
+      resource = CanCan::ControllerResource.new(controller, :id_param => :the_model)
+      expect(resource.send(:id_param)).to be_nil
+    end
+
+    it "loads resource using custom find_by attribute" do
+      model = Model.new
+      allow(Model).to receive(:name).with('foo') { model }
+
+      params.merge!(:action => "show", :id => "foo")
+      resource = CanCan::ControllerResource.new(controller, :find_by => :name)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
+
+    it "allows full find method to be passed into find_by option" do
+      model = Model.new
+      allow(Model).to receive(:find_by_name).with('foo') { model }
+
+      params.merge!(:action => "show", :id => "foo")
+      resource = CanCan::ControllerResource.new(controller, :find_by => :find_by_name)
+      resource.load_resource
+      expect(controller.instance_variable_get(:@model)).to eq(model)
+    end
   end
 
-  it "loads and authorize using custom instance name" do
-    project = Project.create!
-    @params.merge!(:action => "show", :id => project.id)
-    allow(@controller).to receive(:authorize!).with(:show, project) { raise CanCan::AccessDenied }
-    resource = CanCan::ControllerResource.new(@controller, :instance_name => :custom_project)
-    expect { resource.load_and_authorize_resource }.to raise_error(CanCan::AccessDenied)
-    expect(@controller.instance_variable_get(:@custom_project)).to eq(project)
+  context "on update actions" do
+    before :each do
+      params.merge!(:action => 'update')
+    end
+
+    context "with a strong parameters method" do
+      it "only calls the santitize method with actions matching param_actions" do
+        controller.stub(:resource_params).and_return(:resource => 'params')
+        resource = CanCan::ControllerResource.new(controller)
+        resource.stub(:param_actions => [:create])
+
+        controller.should_not_receive(:send).with(:resource_params)
+        resource.send("resource_params")
+      end
+
+      it "uses the proper action param based on the action" do
+        controller.stub(:create_params).and_return(:create => 'params')
+        controller.stub(:update_params).and_return(:update => 'params')
+        resource = CanCan::ControllerResource.new(controller)
+        expect(resource.send("resource_params")).to eq(:update => 'params')
+      end
+    end
   end
 
-  it "loads resource using custom ID param" do
-    project = Project.create!
-    @params.merge!(:action => "show", :the_project => project.id)
-    resource = CanCan::ControllerResource.new(@controller, :id_param => :the_project)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  it "is a parent resource when name is provided which doesn't match controller" do
+    resource = CanCan::ControllerResource.new(controller, :category)
+    expect(resource).to be_parent
   end
 
-  # CVE-2012-5664
-  it "always converts id param to string" do
-    @params.merge!(:action => "show", :the_project => { :malicious => "I am" })
-    resource = CanCan::ControllerResource.new(@controller, :id_param => :the_project)
-    expect(resource.send(:id_param).class).to eq(String)
+  it "does not be a parent resource when name is provided which matches controller" do
+    resource = CanCan::ControllerResource.new(controller, :model)
+    expect(resource).to_not be_parent
   end
 
-  it "should id param return nil if param is nil" do
-    @params.merge!(:action => "show", :the_project => nil)
-    resource = CanCan::ControllerResource.new(@controller, :id_param => :the_project)
-    expect(resource.send(:id_param)).to be_nil
+  it "is parent if specified in options" do
+    resource = CanCan::ControllerResource.new(controller, :model, {:parent => true})
+    expect(resource).to be_parent
   end
 
-  it "loads resource using custom find_by attribute" do
-    project = Project.create!(:name => "foo")
-    @params.merge!(:action => "show", :id => "foo")
-    resource = CanCan::ControllerResource.new(@controller, :find_by => :name)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  it "does not be parent if specified in options" do
+    resource = CanCan::ControllerResource.new(controller, :category, {:parent => false})
+    expect(resource).to_not be_parent
   end
 
-  it "allows full find method to be passed into find_by option" do
-    project = Project.create!(:name => "foo")
-    @params.merge!(:action => "show", :id => "foo")
-    resource = CanCan::ControllerResource.new(@controller, :find_by => :find_by_name)
-    resource.load_resource
-    expect(@controller.instance_variable_get(:@project)).to eq(project)
+  it "has the specified resource_class if 'name' is passed to load_resource" do
+    class Section; end
+    resource = CanCan::ControllerResource.new(controller, :section)
+    expect(resource.send(:resource_class)).to eq(Section)
   end
 
   it "raises ImplementationRemoved when adding :name option" do
     expect {
-      CanCan::ControllerResource.new(@controller, :name => :foo)
+      CanCan::ControllerResource.new(controller, :name => :foo)
     }.to raise_error(CanCan::ImplementationRemoved)
   end
 
   it "raises ImplementationRemoved exception when specifying :resource option since it is no longer used" do
     expect {
-      CanCan::ControllerResource.new(@controller, :resource => Project)
+      CanCan::ControllerResource.new(controller, :resource => Model)
     }.to raise_error(CanCan::ImplementationRemoved)
   end
 
   it "raises ImplementationRemoved exception when passing :nested option" do
     expect {
-      CanCan::ControllerResource.new(@controller, :nested => :project)
+      CanCan::ControllerResource.new(controller, :nested => :model)
     }.to raise_error(CanCan::ImplementationRemoved)
   end
 
   it "skips resource behavior for :only actions in array" do
-    allow(@controller_class).to receive(:cancan_skipper) { {:load => {nil => {:only => [:index, :show]}}} }
-    @params.merge!(:action => "index")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_true
-    expect(CanCan::ControllerResource.new(@controller, :some_resource).skip?(:load)).to be_false
-    @params.merge!(:action => "show")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_true
-    @params.merge!(:action => "other_action")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_false
+    allow(controller_class).to receive(:cancan_skipper) { {:load => {nil => {:only => [:index, :show]}}} }
+    params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_true
+    expect(CanCan::ControllerResource.new(controller, :some_resource).skip?(:load)).to be_false
+    params.merge!(:action => "show")
+    expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_true
+    params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_false
   end
 
   it "skips resource behavior for :only one action on resource" do
-    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {:project => {:only => :index}}} }
-    @params.merge!(:action => "index")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:authorize)).to be_false
-    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_true
-    @params.merge!(:action => "other_action")
-    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_false
+    allow(controller_class).to receive(:cancan_skipper) { {:authorize => {:model => {:only => :index}}} }
+    params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(controller).skip?(:authorize)).to be_false
+    expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be_true
+    params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be_false
   end
 
   it "skips resource behavior :except actions in array" do
-    allow(@controller_class).to receive(:cancan_skipper) { {:load => {nil => {:except => [:index, :show]}}} }
-    @params.merge!(:action => "index")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_false
-    @params.merge!(:action => "show")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_false
-    @params.merge!(:action => "other_action")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:load)).to be_true
-    expect(CanCan::ControllerResource.new(@controller, :some_resource).skip?(:load)).to be_false
+    allow(controller_class).to receive(:cancan_skipper) { {:load => {nil => {:except => [:index, :show]}}} }
+    params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_false
+    params.merge!(:action => "show")
+    expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_false
+    params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(controller).skip?(:load)).to be_true
+    expect(CanCan::ControllerResource.new(controller, :some_resource).skip?(:load)).to be_false
   end
 
   it "skips resource behavior :except one action on resource" do
-    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {:project => {:except => :index}}} }
-    @params.merge!(:action => "index")
-    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_false
-    @params.merge!(:action => "other_action")
-    expect(CanCan::ControllerResource.new(@controller).skip?(:authorize)).to be_false
-    expect(CanCan::ControllerResource.new(@controller, :project).skip?(:authorize)).to be_true
+    allow(controller_class).to receive(:cancan_skipper) { {:authorize => {:model => {:except => :index}}} }
+    params.merge!(:action => "index")
+    expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be_false
+    params.merge!(:action => "other_action")
+    expect(CanCan::ControllerResource.new(controller).skip?(:authorize)).to be_false
+    expect(CanCan::ControllerResource.new(controller, :model).skip?(:authorize)).to be_true
   end
 
   it "skips loading and authorization" do
-    allow(@controller_class).to receive(:cancan_skipper) { {:authorize => {nil => {}}, :load => {nil => {}}} }
-    @params.merge!(:action => "new")
-    resource = CanCan::ControllerResource.new(@controller)
+    allow(controller_class).to receive(:cancan_skipper) { {:authorize => {nil => {}}, :load => {nil => {}}} }
+    params.merge!(:action => "new")
+    resource = CanCan::ControllerResource.new(controller)
     expect { resource.load_and_authorize_resource }.not_to raise_error
-    expect(@controller.instance_variable_get(:@project)).to be_nil
-  end
-
-  context "with a strong parameters method" do
-
-    it "only calls the santitize method with actions matching param_actions" do
-      @params.merge!(:controller => "project", :action => "update")
-      @controller.stub(:resource_params).and_return(:resource => 'params')
-      resource = CanCan::ControllerResource.new(@controller)
-      resource.stub(:param_actions => [:create])
-
-      @controller.should_not_receive(:send).with(:resource_params)
-      resource.send("resource_params")
-    end
-
-    it "uses the specified option for santitizing input" do
-      @params.merge!(:controller => "project", :action => "create")
-      @controller.stub(:resource_params).and_return(:resource => 'params')
-      @controller.stub(:project_params).and_return(:model => 'params')
-      @controller.stub(:create_params).and_return(:create => 'params')
-      @controller.stub(:custom_params).and_return(:custom => 'params')
-      resource = CanCan::ControllerResource.new(@controller, {:param_method => :custom_params})
-      expect(resource.send("resource_params")).to eq(:custom => 'params')
-    end
-
-    it "prefers to use the create_params method for santitizing input" do
-      @params.merge!(:controller => "project", :action => "create")
-      @controller.stub(:resource_params).and_return(:resource => 'params')
-      @controller.stub(:project_params).and_return(:model => 'params')
-      @controller.stub(:create_params).and_return(:create => 'params')
-      @controller.stub(:custom_params).and_return(:custom => 'params')
-      resource = CanCan::ControllerResource.new(@controller)
-      expect(resource.send("resource_params")).to eq(:create => 'params')
-    end
-
-    it "uses the proper action param based on the action" do
-      @params.merge!(:controller => "project", :action => "update")
-      @controller.stub(:create_params).and_return(:create => 'params')
-      @controller.stub(:update_params).and_return(:update => 'params')
-      resource = CanCan::ControllerResource.new(@controller)
-      expect(resource.send("resource_params")).to eq(:update => 'params')
-    end
-
-    it "prefers to use the <model_name>_params method for santitizing input if create is not found" do
-      @params.merge!(:controller => "project", :action => "create")
-      @controller.stub(:resource_params).and_return(:resource => 'params')
-      @controller.stub(:project_params).and_return(:model => 'params')
-      @controller.stub(:custom_params).and_return(:custom => 'params')
-      resource = CanCan::ControllerResource.new(@controller)
-      expect(resource.send("resource_params")).to eq(:model => 'params')
-    end
-
-    it "prefers to use the resource_params method for santitizing input if create or model is not found" do
-      @params.merge!(:controller => "project", :action => "create")
-      @controller.stub(:resource_params).and_return(:resource => 'params')
-      @controller.stub(:custom_params).and_return(:custom => 'params')
-      resource = CanCan::ControllerResource.new(@controller)
-      expect(resource.send("resource_params")).to eq(:resource => 'params')
-    end
+    expect(controller.instance_variable_get(:@model)).to be_nil
   end
 end