RubyGems - fmalamitsas-cancan - Versions diffs - 1.0.2 - Mend

fmalamitsas-cancan 1.0.2

Files changed (16) hide show

data/CHANGELOG.rdoc +54 -0
data/LICENSE +20 -0
data/README.rdoc +203 -0
data/Rakefile +13 -0
data/init.rb +1 -0
data/lib/cancan.rb +10 -0
data/lib/cancan/ability.rb +213 -0
data/lib/cancan/controller_additions.rb +186 -0
data/lib/cancan/controller_resource.rb +40 -0
data/lib/cancan/resource_authorization.rb +64 -0
data/spec/cancan/ability_spec.rb +135 -0
data/spec/cancan/controller_additions_spec.rb +53 -0
data/spec/cancan/controller_resource_spec.rb +49 -0
data/spec/cancan/resource_authorization_spec.rb +115 -0
data/spec/spec_helper.rb +22 -0
metadata +76 -0

data/CHANGELOG.rdoc ADDED

@@ -0,0 +1,54 @@
+1.0.2 (Dec 30, 2009)
+* Adding clear_aliased_actions to Ability which removes previously defined actions including defaults - see issue #20
+* Append aliased actions (don't overwrite them) - see issue #20
+* Adding custom message argument to unauthorized! method (thanks tjwallace) - see issue #18
+1.0.1 (Dec 14, 2009)
+* Adding :class option to load_resource so one can customize which class to use for the model - see issue #17
+* Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14
+1.0.0 (Dec 13, 2009)
+* Don't set resource instance variable if it has been set already - see issue #13
+* Allowing :nested option to accept an array for deep nesting
+* Adding :nested option to load resource method - see issue #10
+* Pass :only and :except options to before filters for load/authorize resource methods.
+* Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
+* BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
+0.2.1 (Nov 26, 2009)
+* many internal refactorings - see issues #11 and #12
+* adding "cannot" method to define which abilities cannot be done - see issue #7
+* support custom objects (usually symbols) in can definition - see issue #8
+0.2.0 (Nov 17, 2009)
+* fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3
+* support arrays being passed to "can" to specify multiple actions or classes - see issue #2
+* adding "cannot?" method to ability, controller, and view which is inverse of "can?" - see issue #1
+* BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - see issue #4
+0.1.0 (Nov 16, 2009)
+* initial release

data/LICENSE ADDED

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Ryan Bates
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc ADDED

@@ -0,0 +1,203 @@
+= CanCan
+RDocs[http://rdoc.info/projects/ryanb/cancan] | Wiki[http://wiki.github.com/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan] | Metrics[http://getcaliper.com/caliper/project?repo=git%3A%2F%2Fgithub.com%2Fryanb%2Fcancan.git] | Tests[http://runcoderun.com/ryanb/cancan]
+This is a simple authorization solution for Ruby on Rails to restrict what a given user is allowed to access in the application. This is completely decoupled from any role based implementation allowing you to define user roles the way you want. All permissions are stored in a single location for convenience.
+This assumes you already have authentication (such as Authlogic[http://github.com/binarylogic/authlogic]) which provides a current_user model.
+== Installation
+You can set it up as a gem in your environment.rb file.
+  config.gem "cancan"
+And then install the gem.
+  sudo rake gems:install
+Alternatively you can install it as a Rails plugin.
+  script/plugin install git://github.com/ryanb/cancan.git
+== Getting Started
+First, define a class called Ability in "models/ability.rb".
+  class Ability
+    include CanCan::Ability
+    def initialize(user)
+      if user.admin?
+        can :manage, :all
+      else
+        can :read, :all
+      end
+    end
+  end
+This is where all permissions will go. See the "Defining Abilities" section below for more information.
+You can access the current permissions at any point using the "can?" and "cannot?" methods in the view.
+  <% if can? :update, @article %>
+    <%= link_to "Edit", edit_article_path(@article) %>
+  <% end %>
+You can also use these methods in a controller along with the "unauthorized!" method to restrict access.
+  def show
+    @article = Article.find(params[:id])
+    unauthorized! if cannot? :read, @article
+  end
+Setting this for every action can be tedious, therefore the load_and_authorize_resource method is also provided to automatically authorize all actions in a RESTful style resource controller. It will set up a before filter which loads the resource into the instance variable and authorizes it.
+  class ArticlesController < ApplicationController
+    load_and_authorize_resource
+    def show
+      # @article is already loaded
+    end
+  end
+If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.
+  class ApplicationController < ActionController::Base
+    rescue_from CanCan::AccessDenied do |exception|
+      flash[:error] = exception.message
+      redirect_to root_url
+    end
+  end
+== Defining Abilities
+As shown above, the Ability class is where all user permissions are defined. The user model is passed into the initialize method so you are free to modify the permissions based on the user's attributes. This way CanCan is completely decoupled with how you choose to handle roles.
+The "can" method accepts two arguments, the first one is the action you're setting the permission for, the second one is the class of object you're setting it on.
+  can :update, Article
+You can pass an array for either of these parameters to match any one.
+  can [:update, :destroy], [Article, Comment]
+In this case the user has the ability to update or destroy both articles and comments.
+You can pass a block to provide logic based on the article's attributes.
+  can :update, Article do |article|
+    article && article.user == user
+  end
+If the block returns true then the user has that :update ability for that article, otherwise he will be denied access. It's possible for the passed in model to be nil if one isn't specified, so be sure to take that into consideration.
+You can pass :all to reference every type of object. In this case the object type will be passed into the block as well (just in case object is nil).
+  can :read, :all do |object_class, object|
+    object_class != Order
+  end
+Here the user has permission to read all objects except orders.
+You can also pass :manage as the action which will match any action. In this case the action is passed to the block.
+  can :manage, Comment do |action, comment|
+    action != :destroy
+  end
+Finally, the "cannot" method works similar to "can" but defines which abilities cannot be done.
+  can :read, :all
+  cannot :read, Product
+== Checking Abilities
+Use the "can?" method in the controller or view to check the user's permission for a given action and object.
+  can? :destroy, @project
+You can also pass the class instead of an instance (if you don't have one handy).
+  <% if can? :create, Project %>
+    <%= link_to "New Project", new_project_path %>
+  <% end %>
+The "cannot?" method is for convenience and performs the opposite check of "can?"
+  cannot? :destroy, @project
+== Aliasing Actions
+You can use the "alias_action" method to alias one or more actions into one.
+  alias_action :update, :destroy, :to => :modify
+  can :modify, Comment
+  can? :update, Comment # => true
+The following aliases are added by default for conveniently mapping common controller actions.
+  alias_action :index, :show, :to => :read
+  alias_action :new, :to => :create
+  alias_action :edit, :to => :update
+== Authorizing Controller Actions
+As mentioned in the Getting Started section, you can use the +load_and_authorize_resource+ method in your controller to load the resource into an instance variable and authorize it. If you have a nested resource you can specify that as well.
+  load_and_authorize_resource :nested => :author
+You can also pass an array to the :+nested+ attribute for deep nesting.
+If you want to customize the loading behavior on certain actions, you can do so in a before filter.
+  class BooksController < ApplicationController
+    before_filter :find_book_by_permalink, :only => :show
+    load_and_authorize_resource
+    private
+    def find_book_by_permalink
+      @book = Book.find_by_permalink!(params[:id)
+    end
+  end
+Here the @book instance variable is already set so it will not be loaded again for that action. This works for nested resources as well.
+== Assumptions & Configuring
+CanCan makes two assumptions about your application.
+* You have an Ability class which defines the permissions.
+* You have a current_user method in the controller which returns the current user model.
+You can override these by overriding the "current_ability" method in your ApplicationController.
+   def current_ability
+     UserAbility.new(current_account) # instead of Ability.new(current_user)
+   end
+That's it!
+== Testing Abilities
+It is very easy to test the Ability model since you can call "can?" directly on it as you would in the view or controller.
+  def test "user can only destroy projects which he owns"
+    user = User.new
+    ability = Ability.new(user)
+    assert ability.can?(:destroy, Project.new(:user => user))
+    assert ability.cannot?(:destroy, Project.new)
+  end
+== Special Thanks
+CanCan was inspired by declarative_authorization[http://github.com/stffn/declarative_authorization/] and aegis[http://github.com/makandra/aegis]. Many thanks to the authors and contributors.

data/Rakefile ADDED

@@ -0,0 +1,13 @@
+require 'rubygems'
+require 'rake'
+require 'spec/rake/spectask'
+spec_files = Rake::FileList["spec/**/*_spec.rb"]
+desc "Run specs"
+Spec::Rake::SpecTask.new do |t|
+  t.spec_files = spec_files
+  t.spec_opts = ["-c"]
+end
+task :default => :spec

data/init.rb ADDED

	@@ -0,0 +1 @@
1	+ require 'cancan'

data/lib/cancan.rb ADDED

@@ -0,0 +1,10 @@
+module CanCan
+  # This error is raised when a user isn't allowed to access a given
+  # controller action. See ControllerAdditions#unauthorized! for details.
+  class AccessDenied < StandardError; end
+end
+require File.dirname(__FILE__) + '/cancan/ability'
+require File.dirname(__FILE__) + '/cancan/controller_resource'
+require File.dirname(__FILE__) + '/cancan/resource_authorization'
+require File.dirname(__FILE__) + '/cancan/controller_additions'

data/lib/cancan/ability.rb ADDED

@@ -0,0 +1,213 @@
+module CanCan
+  # This module is designed to be included into an Ability class. This will
+  # provide the "can" methods for defining and checking abilities.
+  #
+  #   class Ability
+  #     include CanCan::Ability
+  #
+  #     def initialize(user)
+  #       if user.admin?
+  #         can :manage, :all
+  #       else
+  #         can :read, :all
+  #       end
+  #     end
+  #   end
+  #
+  module Ability
+    attr_accessor :user
+    # Use to check the user's permission for a given action and object.
+    #
+    #   can? :destroy, @project
+    #
+    # You can also pass the class instead of an instance (if you don't have one handy).
+    #
+    #   can? :create, Project
+    #
+    # Not only can you use the can? method in the controller and view (see ControllerAdditions),
+    # but you can also call it directly on an ability instance.
+    #
+    #   ability.can? :destroy, @project
+    #
+    # This makes testing a user's abilities very easy.
+    #
+    #   def test "user can only destroy projects which he owns"
+    #     user = User.new
+    #     ability = Ability.new(user)
+    #     assert ability.can?(:destroy, Project.new(:user => user))
+    #     assert ability.cannot?(:destroy, Project.new)
+    #   end
+    #
+    def can?(action, noun)
+      (@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
+        defined_actions = expand_actions(defined_action)
+        defined_nouns = [defined_noun].flatten
+        if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
+          result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+          return base_behavior ? result : !result
+        end
+      end
+      false
+    end
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    #
+    #   cannot? :destroy, @project
+    #
+    def cannot?(*args)
+      !can?(*args)
+    end
+    # Defines which abilities are allowed using two arguments. The first one is the action
+    # you're setting the permission for, the second one is the class of object you're setting it on.
+    #
+    #   can :update, Article
+    #
+    # You can pass an array for either of these parameters to match any one.
+    #
+    #   can [:update, :destroy], [Article, Comment]
+    #
+    # In this case the user has the ability to update or destroy both articles and comments.
+    #
+    # You can pass a block to provide logic based on the article's attributes.
+    #
+    #   can :update, Article do |article|
+    #     article && article.user == user
+    #   end
+    #
+    # If the block returns true then the user has that :update ability for that article, otherwise he
+    # will be denied access. It's possible for the passed in model to be nil if one isn't specified,
+    # so be sure to take that into consideration.
+    #
+    # You can pass :all to reference every type of object. In this case the object type will be passed
+    # into the block as well (just in case object is nil).
+    #
+    #   can :read, :all do |object_class, object|
+    #     object_class != Order
+    #   end
+    #
+    # Here the user has permission to read all objects except orders.
+    #
+    # You can also pass :manage as the action which will match any action. In this case the action is
+    # passed to the block.
+    #
+    #   can :manage, Comment do |action, comment|
+    #     action != :destroy
+    #   end
+    #
+    # You can pass custom objects into this "can" method, this is usually done through a symbol
+    # and is useful if a class isn't available to define permissions on.
+    #
+    #   can :read, :stats
+    #   can? :read, :stats # => true
+    #
+    def can(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [true, action, noun, block]
+    end
+    # Define an ability which cannot be done. Accepts the same arguments as "can".
+    #
+    #   can :read, :all
+    #   cannot :read, Comment
+    #
+    # A block can be passed just like "can", however if the logic is complex it is recommended
+    # to use the "can" method.
+    #
+    #   cannot :read, Product do |product|
+    #     product.invisible?
+    #   end
+    #
+    def cannot(action, noun, &block)
+      @can_definitions ||= []
+      @can_definitions << [false, action, noun, block]
+    end
+    # Alias one or more actions into another one.
+    #
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :modify, Comment
+    #
+    # Then :modify permission will apply to both :update and :destroy requests.
+    #
+    #   can? :update, Comment # => true
+    #   can? :destroy, Comment # => true
+    #
+    # This only works in one direction. Passing the aliased action into the "can?" call
+    # will not work because aliases are meant to generate more generic actions.
+    #
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :update, Comment
+    #   can? :modify, Comment # => false
+    #
+    # Unless that exact alias is used.
+    #
+    #   can :modify, Comment
+    #   can? :modify, Comment # => true
+    #
+    # The following aliases are added by default for conveniently mapping common controller actions.
+    #
+    #   alias_action :index, :show, :to => :read
+    #   alias_action :new, :to => :create
+    #   alias_action :edit, :to => :update
+    #
+    # This way one can use params[:action] in the controller to determine the permission.
+    def alias_action(*args)
+      target = args.pop[:to]
+      aliased_actions[target] ||= []
+      aliased_actions[target] += args
+    end
+    # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
+    def aliased_actions
+      @aliased_actions ||= default_alias_actions
+    end
+    # Removes previously aliased actions including the defaults.
+    def clear_aliased_actions
+      @aliased_actions = {}
+    end
+    private
+    def default_alias_actions
+      {
+        :read => [:index, :show],
+        :create => [:new],
+        :update => [:edit],
+      }
+    end
+    def expand_actions(actions)
+      [actions].flatten.map do |action|
+        if aliased_actions[action]
+          [action, *aliased_actions[action]]
+        else
+          action
+        end
+      end.flatten
+    end
+    def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block)
+      if defined_block.nil?
+        true
+      else
+        block_args = []
+        block_args << action if defined_actions.include?(:manage)
+        block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
+        block_args << (noun.class == Class ? nil : noun)
+        return defined_block.call(*block_args)
+      end
+    end
+    def includes_action?(actions, action)
+      actions.include?(:manage) || actions.include?(action)
+    end
+    def includes_noun?(nouns, noun)
+      nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
+    end
+  end
+end

data/lib/cancan/controller_additions.rb ADDED

@@ -0,0 +1,186 @@
+module CanCan
+  # This module is automatically included into all controllers.
+  # It also makes the "can?" and "cannot?" methods available to all views.
+  module ControllerAdditions
+    module ClassMethods
+      # Sets up a before filter which loads and authorizes the current resource. This performs both
+      # load_resource and authorize_resource and accepts the same arguments. See those methods for details.
+      #
+      #   class BooksController < ApplicationController
+      #     load_and_authorize_resource
+      #   end
+      #
+      def load_and_authorize_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_and_authorize_resource }
+      end
+      # Sets up a before filter which loads the appropriate model resource into an instance variable.
+      # For example, given an ArticlesController it will load the current article into the @article
+      # instance variable. It does this by either calling Article.find(params[:id]) or
+      # Article.new(params[:article]) depending upon the action. It does nothing for the "index"
+      # action.
+      #
+      # Call this method directly on the controller class.
+      #
+      #   class BooksController < ApplicationController
+      #     load_resource
+      #   end
+      #
+      # A resource is not loaded if the instance variable is already set. This makes it easy to override
+      # the behavior through a before_filter on certain actions.
+      #
+      #   class BooksController < ApplicationController
+      #     before_filter :find_book_by_permalink, :only => :show
+      #     load_resource
+      #
+      #     private
+      #
+      #     def find_book_by_permalink
+      #       @book = Book.find_by_permalink!(params[:id)
+      #     end
+      #   end
+      #
+      # See load_and_authorize_resource to automatically authorize the resource too.
+      #
+      # Options:
+      # [:+only+]
+      #   Only applies before filter to given actions.
+      #
+      # [:+except+]
+      #   Does not apply before filter to given actions.
+      #
+      # [:+nested+]
+      #   Specify which resource this is nested under.
+      #
+      #     load_resource :nested => :author
+      #
+      #   Deep nesting can be defined in an array.
+      #
+      #     load_resource :nested => [:publisher, :author]
+      #
+      # [:+class+]
+      #   The class to use for the model.
+      #
+      # [:+collection+]
+      #   Specify which actions are resource collection actions in addition to :+index+. This
+      #   is usually not necessary because it will try to guess depending on if an :+id+
+      #   is present in +params+.
+      #
+      #     load_resource :collection => [:sort, :list]
+      #
+      # [:+new+]
+      #   Specify which actions are new resource actions in addition to :+new+ and :+create+.
+      #   Pass an action name into here if you would like to build a new resource instead of
+      #   fetch one.
+      #
+      #     load_resource :new => :build
+      #
+      def load_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).load_resource }
+      end
+      # Sets up a before filter which authorizes the current resource using the instance variable.
+      # For example, if you have an ArticlesController it will check the @article instance variable
+      # and ensure the user can perform the current action on it. Under the hood it is doing
+      # something like the following.
+      #
+      #   unauthorized! if cannot?(params[:action].to_sym, @article || Article)
+      #
+      # Call this method directly on the controller class.
+      #
+      #   class BooksController < ApplicationController
+      #     authorize_resource
+      #   end
+      #
+      # See load_and_authorize_resource to automatically load the resource too.
+      #
+      # Options:
+      # [:+only+]
+      #   Only applies before filter to given actions.
+      #
+      # [:+except+]
+      #   Does not apply before filter to given actions.
+      #
+      # [:+class+]
+      #   The class to use for the model.
+      #
+      def authorize_resource(options = {})
+        before_filter(options.slice(:only, :except)) { |c| ResourceAuthorization.new(c, c.params, options.except(:only, :except)).authorize_resource }
+      end
+    end
+    def self.included(base)
+      base.extend ClassMethods
+      base.helper_method :can?, :cannot?
+    end
+    # Raises the CanCan::AccessDenied exception. This is often used in a
+    # controller action to mark a request as unauthorized.
+    #
+    #   def show
+    #     @article = Article.find(params[:id])
+    #     unauthorized! if cannot? :read, @article
+    #   end
+    #
+    # The unauthorized! method accepts an optional argument which sets the
+    # message of the exception.
+    #
+    # You can rescue from the exception in the controller to define the behavior.
+    #
+    #   class ApplicationController < ActionController::Base
+    #     rescue_from CanCan::AccessDenied do |exception|
+    #       flash[:error] = exception.message
+    #       redirect_to root_url
+    #     end
+    #   end
+    #
+    # See the load_and_authorize_resource method to automatically add
+    # the "unauthorized!" behavior to a RESTful controller's actions.
+    def unauthorized!(message = "You are not authorized to access this page.")
+      raise AccessDenied, message
+    end
+    # Creates and returns the current user's ability. You generally do not invoke
+    # this method directly, instead you can override this method to change its
+    # behavior if the Ability class or current_user method are different.
+    #
+    #   def current_ability
+    #     UserAbility.new(current_account) # instead of Ability.new(current_user)
+    #   end
+    #
+    def current_ability
+      ::Ability.new(current_user)
+    end
+    # Use in the controller or view to check the user's permission for a given action
+    # and object.
+    #
+    #   can? :destroy, @project
+    #
+    # You can also pass the class instead of an instance (if you don't have one handy).
+    #
+    #   <% if can? :create, Project %>
+    #     <%= link_to "New Project", new_project_path %>
+    #   <% end %>
+    #
+    # This simply calls "can?" on the current_ability. See Ability#can?.
+    def can?(*args)
+      (@current_ability ||= current_ability).can?(*args)
+    end
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    #
+    #   cannot? :destroy, @project
+    #
+    def cannot?(*args)
+      (@current_ability ||= current_ability).cannot?(*args)
+    end
+  end
+end
+if defined? ActionController
+  ActionController::Base.class_eval do
+    include CanCan::ControllerAdditions
+  end
+end

data/lib/cancan/controller_resource.rb ADDED

@@ -0,0 +1,40 @@
+module CanCan
+  class ControllerResource # :nodoc:
+    def initialize(controller, name, parent = nil, options = {})
+      @controller = controller
+      @name = name
+      @parent = parent
+      @options = options
+    end
+    def model_class
+      @options[:class] || @name.to_s.camelize.constantize
+    end
+    def find(id)
+      self.model_instance ||= base.find(id)
+    end
+    def build(attributes)
+      if base.kind_of? Class
+        self.model_instance ||= base.new(attributes)
+      else
+        self.model_instance ||= base.build(attributes)
+      end
+    end
+    def model_instance
+      @controller.instance_variable_get("@#{@name}")
+    end
+    def model_instance=(instance)
+      @controller.instance_variable_set("@#{@name}", instance)
+    end
+    private
+    def base
+      @parent ? @parent.model_instance.send(@name.to_s.pluralize) : model_class
+    end
+  end
+end

data/lib/cancan/resource_authorization.rb ADDED

@@ -0,0 +1,64 @@
+module CanCan
+  class ResourceAuthorization # :nodoc:
+    attr_reader :params
+    def initialize(controller, params, options = {})
+      @controller = controller
+      @params = params
+      @options = options
+    end
+    def load_and_authorize_resource
+      load_resource
+      authorize_resource
+    end
+    def load_resource
+      unless collection_actions.include? params[:action].to_sym
+        if new_actions.include? params[:action].to_sym
+          resource.build(params[model_name.to_sym])
+        elsif params[:id]
+          resource.find(params[:id])
+        end
+      end
+    end
+    def authorize_resource
+      if @controller.cannot?(params[:action].to_sym, resource.model_instance || resource.model_class)
+        @options[:message] ? @controller.unauthorized!(@options[:message]) : @controller.unauthorized!
+      end
+    end
+    private
+    def resource
+      @resource ||= ControllerResource.new(@controller, model_name, parent_resource, @options)
+    end
+    def parent_resource
+      parent = nil
+      [@options[:nested]].flatten.compact.each do |name|
+        id = @params["#{name}_id".to_sym]
+        if id
+          parent = ControllerResource.new(@controller, name, parent)
+          parent.find(id)
+        else
+          parent = nil
+        end
+      end
+      parent
+    end
+    def model_name
+      params[:controller].split('/').last.singularize
+    end
+    def collection_actions
+      [:index] + [@options[:collection]].flatten
+    end
+    def new_actions
+      [:new, :create] + [@options[:new]].flatten
+    end
+  end
+end

data/spec/cancan/ability_spec.rb ADDED

@@ -0,0 +1,135 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+describe CanCan::Ability do
+  before(:each) do
+    @ability = Object.new
+    @ability.extend(CanCan::Ability)
+  end
+  it "should be able to :read anything" do
+    @ability.can :read, :all
+    @ability.can?(:read, String).should be_true
+    @ability.can?(:read, 123).should be_true
+  end
+  it "should not have permission to do something it doesn't know about" do
+    @ability.can?(:foodfight, String).should be_false
+  end
+  it "should return what block returns on a can call" do
+    @ability.can :read, :all
+    @ability.can :read, Symbol do |sym|
+      sym
+    end
+    @ability.can?(:read, Symbol).should be_nil
+    @ability.can?(:read, :some_symbol).should == :some_symbol
+  end
+  it "should pass class with object if :all objects are accepted" do
+    @ability.can :preview, :all do |object_class, object|
+      [object_class, object]
+    end
+    @ability.can?(:preview, 123).should == [Fixnum, 123]
+  end
+  it "should pass class with no object if :all objects are accepted and class is passed directly" do
+    @ability.can :preview, :all do |object_class, object|
+      [object_class, object]
+    end
+    @ability.can?(:preview, Hash).should == [Hash, nil]
+  end
+  it "should pass action and object for global manage actions" do
+    @ability.can :manage, Array do |action, object|
+      [action, object]
+    end
+    @ability.can?(:stuff, [1, 2]).should == [:stuff, [1, 2]]
+    @ability.can?(:stuff, Array).should == [:stuff, nil]
+  end
+  it "should alias update or destroy actions to modify action" do
+    @ability.alias_action :update, :destroy, :to => :modify
+    @ability.can(:modify, :all) { :modify_called }
+    @ability.can?(:update, 123).should == :modify_called
+    @ability.can?(:destroy, 123).should == :modify_called
+  end
+  it "should return block result for action, object_class, and object for any action" do
+    @ability.can :manage, :all do |action, object_class, object|
+      [action, object_class, object]
+    end
+    @ability.can?(:foo, 123).should == [:foo, Fixnum, 123]
+    @ability.can?(:bar, Fixnum).should == [:bar, Fixnum, nil]
+  end
+  it "should automatically alias index and show into read calls" do
+    @ability.can :read, :all
+    @ability.can?(:index, 123).should be_true
+    @ability.can?(:show, 123).should be_true
+  end
+  it "should automatically alias new and edit into create and update respectively" do
+    @ability.can(:create, :all) { :create_called }
+    @ability.can(:update, :all) { :update_called }
+    @ability.can?(:new, 123).should == :create_called
+    @ability.can?(:edit, 123).should == :update_called
+  end
+  it "should not respond to prepare (now using initialize)" do
+    @ability.should_not respond_to(:prepare)
+  end
+  it "should offer cannot? method which is simply invert of can?" do
+    @ability.cannot?(:tie, String).should be_true
+  end
+  it "should be able to specify multiple actions and match any" do
+    @ability.can [:read, :update], :all
+    @ability.can?(:read, 123).should be_true
+    @ability.can?(:update, 123).should be_true
+    @ability.can?(:count, 123).should be_false
+  end
+  it "should be able to specify multiple classes and match any" do
+    @ability.can :update, [String, Array]
+    @ability.can?(:update, "foo").should be_true
+    @ability.can?(:update, []).should be_true
+    @ability.can?(:update, 123).should be_false
+  end
+  it "should support custom objects in the can definition" do
+    @ability.can :read, :stats
+    @ability.can?(:read, :stats).should be_true
+    @ability.can?(:update, :stats).should be_false
+    @ability.can?(:read, :nonstats).should be_false
+  end
+  it "should support 'cannot' method to define what user cannot do" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 123).should be_false
+  end
+  it "should support block on 'cannot' method" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer do |int|
+      int > 5
+    end
+    @ability.can?(:read, "foo").should be_true
+    @ability.can?(:read, 3).should be_true
+    @ability.can?(:read, 123).should be_false
+  end
+  it "should append aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.alias_action :destroy, :to => :modify
+    @ability.aliased_actions[:modify].should == [:update, :destroy]
+  end
+  it "should clear aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.clear_aliased_actions
+    @ability.aliased_actions[:modify].should be_nil
+  end
+end

data/spec/cancan/controller_additions_spec.rb ADDED

@@ -0,0 +1,53 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+describe CanCan::ControllerAdditions do
+  before(:each) do
+    @controller_class = Class.new
+    @controller = @controller_class.new
+    stub(@controller).params { {} }
+    mock(@controller_class).helper_method(:can?, :cannot?)
+    @controller_class.send(:include, CanCan::ControllerAdditions)
+  end
+  it "should raise access denied with default message when calling unauthorized!" do
+    lambda {
+      @controller.unauthorized!
+    }.should raise_error(CanCan::AccessDenied, "You are not authorized to access this page.")
+  end
+  it "should raise access denied with custom message when calling unauthorized!" do
+    lambda {
+      @controller.unauthorized! "Access denied!"
+    }.should raise_error(CanCan::AccessDenied, "Access denied!")
+  end
+  it "should have a current_ability method which generates an ability for the current user" do
+    stub(@controller).current_user { :current_user }
+    @controller.current_ability.should be_kind_of(Ability)
+  end
+  it "should provide a can? and cannot? methods which go through the current ability" do
+    stub(@controller).current_user { :current_user }
+    @controller.current_ability.should be_kind_of(Ability)
+    @controller.can?(:foo, :bar).should be_false
+    @controller.cannot?(:foo, :bar).should be_true
+  end
+  it "load_and_authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_and_authorize_resource
+    mock(@controller_class).before_filter({}) { |options, block| block.call(@controller) }
+    @controller_class.load_and_authorize_resource :foo => :bar
+  end
+  it "authorize_resource should setup a before filter which passes call to ResourceAuthorization" do
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.authorize_resource
+    mock(@controller_class).before_filter(:except => :show) { |options, block| block.call(@controller) }
+    @controller_class.authorize_resource :foo => :bar, :except => :show
+  end
+  it "load_resource should setup a before filter which passes call to ResourceAuthorization" do
+    stub(CanCan::ResourceAuthorization).new(@controller, @controller.params, :foo => :bar).mock!.load_resource
+    mock(@controller_class).before_filter(:only => [:show, :index]) { |options, block| block.call(@controller) }
+    @controller_class.load_resource :foo => :bar, :only => [:show, :index]
+  end
+end

data/spec/cancan/controller_resource_spec.rb ADDED

@@ -0,0 +1,49 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+describe CanCan::ControllerResource do
+  before(:each) do
+    @controller = Object.new
+  end
+  it "should determine model class by constantizing give name" do
+    CanCan::ControllerResource.new(@controller, :ability).model_class.should == Ability
+  end
+  it "should fetch model through model class and assign it to the instance" do
+    stub(Ability).find(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should fetch model through parent and assign it to the instance" do
+    parent = Object.new
+    stub(parent).model_instance.stub!.abilities.stub!.find(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability, parent).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should build model through model class and assign it to the instance" do
+    stub(Ability).new(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability).build(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should build model through parent and assign it to the instance" do
+    parent = Object.new
+    stub(parent).model_instance.stub!.abilities.stub!.build(123) { :some_ability }
+    CanCan::ControllerResource.new(@controller, :ability, parent).build(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should not load resource if instance variable is already provided" do
+    @controller.instance_variable_set(:@ability, :some_ability)
+    CanCan::ControllerResource.new(@controller, :ability).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should use the model class option if provided" do
+    stub(Person).find(123) { :some_resource }
+    CanCan::ControllerResource.new(@controller, :ability, nil, :class => Person).find(123)
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+end

data/spec/cancan/resource_authorization_spec.rb ADDED

@@ -0,0 +1,115 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+describe CanCan::ResourceAuthorization do
+  before(:each) do
+    @controller = Object.new # simple stub for now
+    stub(@controller).unauthorized! { raise CanCan::AccessDenied }
+  end
+  it "should load the resource into an instance variable if params[:id] is specified" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  it "should properly load resource for namespaced controller" do
+    stub(Ability).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "admin/abilities", :action => "show", :id => 123)
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  it "should build a new resource with hash if params[:id] is not specified" do
+    stub(Ability).new(:foo => "bar") { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "create", :ability => {:foo => "bar"})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  it "should build a new resource even if attribute hash isn't specified" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "new")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  it "should not build a resource when on index action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "index")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  it "should perform authorization using controller action and loaded model" do
+    @controller.instance_variable_set(:@ability, :some_resource)
+    stub(@controller).cannot?(:show, :some_resource) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  it "should perform authorization using controller action and non loaded model" do
+    stub(@controller).cannot?(:show, Ability) { true }
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    lambda {
+      authorization.authorize_resource
+    }.should raise_error(CanCan::AccessDenied)
+  end
+  it "should call load_resource and authorize_resource for load_and_authorize_resource" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "show")
+    mock(authorization).load_resource
+    mock(authorization).authorize_resource
+    authorization.load_and_authorize_resource
+  end
+  it "should not build a resource when on custom collection action" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "sort"}, {:collection => [:sort, :list]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  it "should build a resource when on custom new action even when params[:id] exists" do
+    stub(Ability).new(nil) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "build", :id => 123}, {:new => :build})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+  it "should not try to load resource for other action if params[:id] is undefined" do
+    authorization = CanCan::ResourceAuthorization.new(@controller, :controller => "abilities", :action => "list")
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should be_nil
+  end
+  it "should load nested resource and fetch other resource through the association" do
+    stub(Person).find(456).stub!.abilities.stub!.find(123) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123, :person_id => 456}, {:nested => :person})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should load nested resource and build resource through a deep association" do
+    stub(Person).find(456).stub!.behaviors.stub!.find(789).stub!.abilities.stub!.build(nil) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456, :behavior_id => 789}, {:nested => [:person, :behavior]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should not load nested resource and build through this if *_id param isn't specified" do
+    stub(Person).find(456) { :some_person }
+    stub(Ability).new(nil) { :some_ability }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "new", :person_id => 456}, {:nested => [:person, :behavior]})
+    authorization.load_resource
+    @controller.instance_variable_get(:@person).should == :some_person
+    @controller.instance_variable_get(:@ability).should == :some_ability
+  end
+  it "should load the model using a custom class" do
+    stub(Person).find(123) { :some_resource }
+    authorization = CanCan::ResourceAuthorization.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
+    authorization.load_resource
+    @controller.instance_variable_get(:@ability).should == :some_resource
+  end
+end

data/spec/spec_helper.rb ADDED

@@ -0,0 +1,22 @@
+require 'rubygems'
+require 'spec'
+require 'active_support'
+require 'active_record'
+require 'action_controller'
+require 'action_view'
+require File.dirname(__FILE__) + '/../lib/cancan.rb'
+Spec::Runner.configure do |config|
+  config.mock_with :rr
+end
+class Ability
+  include CanCan::Ability
+  def initialize(user)
+  end
+end
+# this class helps out in testing nesting
+class Person
+end

metadata ADDED

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: fmalamitsas-cancan
+version: !ruby/object:Gem::Version
+  version: 1.0.2
+platform: ruby
+authors:
+- Ryan Bates
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2010-02-03 00:00:00 +01:00
+default_executable:
+dependencies: []
+description: Simple authorization solution for Rails which is completely decoupled from the user's roles. All permissions are stored in a single location for convenience.
+email: ryan@railscasts.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+- CHANGELOG.rdoc
+- LICENSE
+files:
+- lib/cancan/ability.rb
+- lib/cancan/controller_additions.rb
+- lib/cancan/controller_resource.rb
+- lib/cancan/resource_authorization.rb
+- lib/cancan.rb
+- spec/cancan/ability_spec.rb
+- spec/cancan/controller_additions_spec.rb
+- spec/cancan/controller_resource_spec.rb
+- spec/cancan/resource_authorization_spec.rb
+- spec/spec_helper.rb
+- LICENSE
+- README.rdoc
+- Rakefile
+- CHANGELOG.rdoc
+- init.rb
+has_rdoc: true
+homepage: http://github.com/ryanb/cancan
+licenses: []
+post_install_message:
+rdoc_options:
+- --line-numbers
+- --inline-source
+- --title
+- CanCan
+- --main
+- README.rdoc
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "1.2"
+  version:
+requirements: []
+rubyforge_project:
+rubygems_version: 1.3.5
+signing_key:
+specification_version: 3
+summary: Simple authorization solution for Rails.(fork from Ryan Bates gem)
+test_files: []