heimdallr-resource 1.0.3 → 1.2.0

data/spec/{resource_spec.rb → controllers/entities_controller_spec.rb}

@@ -1,11 +1,16 @@
 require 'spec_helper'
 
-describe EntityController, :type => :controller do
+describe EntitiesController, :type => :controller do
   before(:all) do
+    User.destroy_all
+    Entity.destroy_all
+
     @john    = User.create!   :admin => false
     @maria   = User.create!   :admin => false
     @admin   = User.create!   :admin => true
+    
     @private = Entity.create! :name => 'ent1', :public => false
+    @private_own = Entity.create! :name => 'ent1', :public => false, :owner_id => @john.id
     @public  = Entity.create! :name => 'ent1', :public => true, :owner_id => @john.id
   end
 
@@ -14,14 +19,27 @@ describe EntityController, :type => :controller do
       User.mock @admin
       get :index
 
-      assigns(:entities).count.should == 2
+      assigns(:entities).should have(3).items
     end
 
     it "hides non-public entities" do
       User.mock @john
       get :index
 
-      assigns(:entities).count.should == 1
+      assigns(:entities).should have(2).items
+    end
+
+    it "shows private to owner" do
+      User.mock @john
+      get :show, {:id => @private_own.id}
+
+      assigns(:entity).insecure.should == @private_own
+    end
+
+    it "hides private from non-owner" do
+      User.mock @maria
+
+      expect { get :show, {:id => @private_own.id} }.to raise_error
     end
 
     it "allows creation for admin" do
@@ -33,7 +51,7 @@ describe EntityController, :type => :controller do
 
     it "disallows creation for non-admin" do
       User.mock @john
-      expect { post :create, {} }.should raise_error
+      expect { post :create, {} }.to raise_error
     end
 
     it "allows update for admin" do
@@ -46,7 +64,7 @@ describe EntityController, :type => :controller do
 
     it "disallows update for non-admin" do
       User.mock @john
-      expect { post :update, {:id => @public.id} }.should raise_error
+      expect { post :update, {:id => @public.id} }.to raise_error
     end
 
     it "allows destroy for admin" do
@@ -67,7 +85,7 @@ describe EntityController, :type => :controller do
 
     it "disallows destroy for nobody" do
       User.mock @maria
-      expect { post :destroy, {:id => @public.id} }.should raise_error
+      expect { post :destroy, {:id => @public.id} }.to raise_error
     end
 
     it "assigns the custom methods" do
@@ -78,4 +96,4 @@ describe EntityController, :type => :controller do
       assigns(:entity).id.should == @public.id
     end
   end
-end
+end

data/spec/controllers/fluffies_controller_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe FluffiesController, :type => :controller do
+  before(:all) do
+    User.destroy_all
+    Entity.destroy_all
+
+    @admin = User.create! :admin => true
+
+    @entity1 = Entity.create! :name => 'entity 1'
+    @entity2 = Entity.create! :name => 'entity 2'
+  end
+
+  it "loads entity resources and assigns to @entities" do
+    User.mock @admin
+    get :index
+
+    assigns(:entities).should have(2).items
+  end
+end

data/spec/controllers/things_controller_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe ThingsController, :type => :controller do
+  before(:all) do
+    User.delete_all
+    Entity.delete_all
+
+    @admin = User.create! :admin => true
+
+    @entity1 = Entity.create! :name => 'entity 1'
+    @entity2 = Entity.create! :name => 'entity 2'
+
+    @thing1 = Thing.create! :name => 'thing 1', :entity_id => @entity1.id
+    @thing2 = Thing.create! :name => 'thing 2', :entity_id => @entity1.id
+    @thing3 = Thing.create! :name => 'thing 3', :entity_id => @entity2.id
+  end
+
+  it "loads entity resource and assigns to @entity" do
+    User.mock @admin
+    get :index, :entity_id => @entity1.id
+
+    assigns(:entity).id.should == @entity1.id
+  end
+
+  it "loads thing resources through @entity and assigns to @things" do
+    User.mock @admin
+    get :index, :entity_id => @entity1.id
+
+    assigns(:things).should have(2).items
+  end
+end

data/spec/dummy/app/controllers/{entity_controller.rb → entities_controller.rb}

@@ -1,4 +1,4 @@
-class EntityController < ApplicationController
+class EntitiesController < ApplicationController
   include Heimdallr::Resource
 
   load_and_authorize_resource
@@ -7,6 +7,10 @@ class EntityController < ApplicationController
     render :nothing => true
   end
 
+  def show
+    render :nothing => true
+  end
+
   def new
     render :nothing => true
   end
@@ -30,4 +34,4 @@ class EntityController < ApplicationController
   def penetrate
     render :nothing => true
   end
-end
+end

data/spec/dummy/app/controllers/things_controller.rb

@@ -0,0 +1,29 @@
+class ThingsController < ApplicationController
+  include Heimdallr::Resource
+
+  load_and_authorize_resource :through => :entity
+
+  def index
+    render :nothing => true
+  end
+
+  def new
+    render :nothing => true
+  end
+
+  def create
+    render :nothing => true
+  end
+
+  def edit
+    render :nothing => true
+  end
+
+  def update
+    render :nothing => true
+  end
+
+  def destroy
+    render :nothing => true
+  end
+end

data/spec/dummy/app/models/entity.rb

@@ -1,6 +1,8 @@
 class Entity < ActiveRecord::Base
   include Heimdallr::Model
 
+  has_many :things, :dependent => :destroy
+
   restrict do |user, record|
     if user.admin
       scope :fetch

data/spec/dummy/app/models/thing.rb

@@ -0,0 +1,16 @@
+class Thing < ActiveRecord::Base
+  include Heimdallr::Model
+
+  belongs_to :entity
+
+  restrict do |user, record|
+    if user.admin
+      scope :fetch
+      scope :delete
+      can [:view, :create, :update]
+    else
+      scope :fetch,  -> { where('public = ? or owner_id = ?', true, user.id) }
+      scope :delete, -> { where('owner_id = ?', user.id) }
+    end
+  end
+end

data/spec/dummy/config/application.rb

@@ -5,7 +5,7 @@ require "rails/all"
 Bundler.require(:default, Rails.env)
 
 require "heimdallr"
-require "heimdallr/resource"
+require "heimdallr-resource"
 
 module Dummy
   class Application < Rails::Application

data/spec/dummy/config/routes.rb

@@ -1,8 +1,9 @@
 Dummy::Application.routes.draw do
-  resources :entity do
-    member do
-      post :penetrate
-    end
+  resources :entities do
+    resources :things
+
+    post :penetrate, :on => :member
   end
+
   resources :fluffies
-end
+end

data/spec/dummy/db/schema.rb

@@ -5,6 +5,11 @@ ActiveRecord::Schema.define(:version => 1) do
     t.boolean "public"
   end
 
+  create_table "things", :force => true do |t|
+    t.integer "entity_id"
+    t.string  "name"
+  end
+
   create_table "users", :force => true do |t|
     t.boolean "admin"
   end

data/spec/models/resource_implementation_spec.rb

@@ -0,0 +1,382 @@
+require 'spec_helper'
+
+describe Heimdallr::ResourceImplementation do
+  let(:controller) { Object.new }
+  let(:params) { HashWithIndifferentAccess.new :controller => :entities }
+  let(:entity) { stub!.id{1}.subject }
+  before do
+    stub(controller).params { params }
+    stub(controller).skip_authorization_check? { false }
+  end
+
+  describe '#load_resource' do
+    it "loads and assigns the resource to an instance variable for show action" do
+      params.merge! :action => 'show', :id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "loads and assigns the resource to an instance variable for edit action" do
+      params.merge! :action => 'edit', :id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "loads and assigns the resource to an instance variable for update action" do
+      params.merge! :action => 'edit', :id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "loads and assigns the resource to an instance variable for destroy action" do
+      params.merge! :action => 'destroy', :id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "builds and assigns a new resource for new action" do
+      params.merge! :action => 'new'
+      mock(Entity).new({}) { :new_entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == :new_entity
+    end
+
+    it "builds and assigns a new resource for create action" do
+      params.merge! :action => 'create', :entity => {:name => 'foo'}
+      mock(Entity).new('name' => 'foo') { :new_entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == :new_entity
+    end
+
+    it "loads and assigns a resource collection for index action" do
+      params.merge! :action => 'index'
+      mock(Entity).scoped { :entity_collection }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entities).should == :entity_collection
+    end
+
+    it "loads and assigns a namespaced resource" do
+      params.merge! :action => 'show', :id => entity.id
+      module SomeProject
+        class Entity < ::Entity; end
+      end
+      stub(SomeProject::Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'some_project/entity'
+      resource.load_resource
+      controller.instance_variable_get(:@some_project_entity).should == entity
+    end
+    
+    it "loads the resource with a custom finder" do
+      params.merge! :action => 'show', :id => entity.id
+      stub(Entity).scoped.mock!.find_by_name(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity', :finder => :find_by_name
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "loads and assigns a single resource for custom action by default" do
+      params.merge! :action => 'fetch', :id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "loads and assigns a collection for custom action if specified in options" do
+      params.merge! :action => 'sort'
+      mock(Entity).scoped { :entity_collection }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity', :collection => [:sort]
+      resource.load_resource
+      controller.instance_variable_get(:@entities).should == :entity_collection
+    end
+
+    it "builds and assigns a new resource for custom action if specified in options" do
+      params.merge! :action => 'generate', :entity => {:name => 'foo'}
+      mock(Entity).new('name' => 'foo') { :new_entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity', :new_record => [:generate]
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == :new_entity
+    end
+
+    it "doesn't assign the resource to an instance variable if it is already assigned" do
+      params.merge! :action => 'show', :id => entity.id
+      controller.instance_variable_set :@entity, :different_entity
+      stub(Entity).scoped.stub!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == :different_entity
+    end
+
+    it "loads and assigns a resource through the association of another parent resource" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show', :entity_id => entity.id, :id => thing.id
+      controller.instance_variable_set(:@entity, entity)
+      stub(entity).things.mock!.find(thing.id) { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "loads and assigns the parent resource if :through option is provided" do
+      params.merge! :controller => :things, :action => 'index', :entity_id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      stub(entity).things
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity'
+      resource.load_resource
+      controller.instance_variable_get(:@entity).should == entity
+    end
+
+    it "loads the resource directly if the parent isn't found and :shallow option is true" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show', :id => thing.id
+      stub(Thing).scoped.mock!.find(thing.id) { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :shallow => true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "raises an error when the parent's id is not provided" do
+      params.merge! :controller => :things, :action => 'show', :id => 1
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity'
+      expect { resource.load_resource }.to raise_error(RuntimeError)
+    end
+
+    it "loads through the first parent found when multiple are given" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show', :id => thing.id
+      class Nothing; end
+      stub(Nothing).scoped
+      controller.instance_variable_set(:@entity, entity)
+      controller.instance_variable_set(:@user, Object.new)
+      stub(entity).things.mock!.find(thing.id) { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => [:nothing, :entity, :user]
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "loads through has_one association with :singleton option" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show'
+      controller.instance_variable_set(:@entity, entity)
+      mock(entity).thing { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "builds a record through has_one association with :singleton option" do
+      params.merge! :controller => :things, :action => 'create', :thing => {:name => 'foo'}
+      controller.instance_variable_set(:@entity, entity)
+      thing = stub!.id{1}.subject
+      stub(entity).thing { nil }
+      mock(entity).build_thing('name' => 'foo') { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "builds a record with correct method name with :singleton and :through_association options" do
+      params.merge! :controller => :things, :action => 'create', :thing => {:name => 'foo'}
+      controller.instance_variable_set(:@entity, entity)
+      thing = stub!.id{1}.subject
+      stub(entity).stuff { nil }
+      mock(entity).build_stuff('name' => 'foo') { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true, :through_association => :stuff
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "doesn't build a record through has_one association with :singleton option if one already exists because it can cause it to delete it in the database" do
+      params.merge! :controller => :things, :action => 'create', :thing => {:name => 'foo'}
+      controller.instance_variable_set(:@entity, entity)
+      thing = stub!.id{1}.subject
+      mock(entity).thing { thing }
+      mock(thing).assign_attributes 'name' => 'foo'
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "loads through has_one association with :singleton and :shallow options" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show', :id => thing.id
+      stub(Thing).scoped.mock!.find(thing.id) { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true, :shallow => :true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "builds a record through has_one association with :singleton and :shallow options" do
+      params.merge! :controller => :things, :action => 'create', :thing => {:name => 'foo'}
+      stub(Thing).scoped.mock!.new('name' => 'foo') { :new_thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true, :shallow => :true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == :new_thing
+    end
+
+    it "builds a record through has_one association with :singleton and :shallow options even if the parent is present" do
+      params.merge! :controller => :things, :action => 'create', :thing => {:name => 'foo'}
+      controller.instance_variable_set(:@entity, entity)
+      stub(entity).thing { nil }
+      mock(entity).build_thing('name' => 'foo') { :new_thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :singleton => true, :shallow => :true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == :new_thing
+    end
+
+    it "loads through custom association if :through_association option is provided" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show', :entity_id => entity.id, :id => thing.id
+      controller.instance_variable_set(:@entity, entity)
+      stub(entity).stuff.mock!.find(thing.id) { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :through_association => :stuff
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "loads through custom association if both :through_association and :singleton options are provided" do
+      thing = stub!.id{1}.subject
+      params.merge! :controller => :things, :action => 'show', :entity_id => entity.id, :id => thing.id
+      controller.instance_variable_set(:@entity, entity)
+      mock(entity).stuff { thing }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'thing', :through => 'entity', :through_association => :stuff, :singleton => true
+      resource.load_resource
+      controller.instance_variable_get(:@thing).should == thing
+    end
+
+    it "loads and assigns a resource using custom instance name" do
+      params.merge! :action => 'show', :id => entity.id
+      stub(Entity).scoped.mock!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity', :instance_name => :something
+      resource.load_resource
+      controller.instance_variable_get(:@something).should == entity
+    end
+
+    it "loads and assigns a resource collection using custom instance name" do
+      params.merge! :action => 'index'
+      mock(Entity).scoped { :entity_collection }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity', :instance_name => :something
+      resource.load_resource
+      controller.instance_variable_get(:@somethings).should == :entity_collection
+    end
+  end
+
+  describe '#load_and_authorize_resource' do
+    let(:user) { stub!.id{1}.subject }
+    before do
+      stub(user).admin { false }
+      stub(controller).security_context { user }
+    end
+
+    it "calls #restrict on the loaded resource" do
+      params.merge! :action => 'show', :id => entity.id
+      mock(Entity).restrict(controller.security_context).stub!.find(entity.id) { entity }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_and_authorize_resource
+    end
+
+    it "raises AccessDenied when calling :new action for resource that can't be created" do
+      params.merge! :action => 'new'
+      mock(Entity).new.mock!.restrict(controller.security_context, {}) { entity }
+      stub(entity).assign_attributes
+      mock(entity).creatable? { false }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      expect { resource.load_and_authorize_resource }.to raise_error(Heimdallr::AccessDenied)
+    end
+
+    it "raises AccessDenied when creating a resource that can't be created" do
+      params.merge! :action => 'create'
+      mock(Entity).new.mock!.restrict(controller.security_context, {}) { entity }
+      stub(entity).assign_attributes
+      mock(entity).creatable? { false }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      expect { resource.load_and_authorize_resource }.to raise_error(Heimdallr::AccessDenied)
+    end
+
+    it "raises AccessDenied when calling :edit action for resource that can't be updated" do
+      params.merge! :action => 'edit', :id => entity.id
+      mock(Entity).restrict(controller.security_context).stub!.find(entity.id) { entity }
+      mock(entity).modifiable? { false }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      expect { resource.load_and_authorize_resource }.to raise_error(Heimdallr::AccessDenied)
+    end
+
+    it "raises AccessDenied when updating a resource that can't be updated" do
+      params.merge! :action => 'update', :id => entity.id
+      mock(Entity).restrict(controller.security_context).stub!.find(entity.id) { entity }
+      mock(entity).modifiable? { false }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      expect { resource.load_and_authorize_resource }.to raise_error(Heimdallr::AccessDenied)
+    end
+
+    it "raises AccessDenied when destroying a resource that can't be destroyed" do
+      params.merge! :action => 'destroy', :id => entity.id
+      mock(Entity).restrict(controller.security_context).stub!.find(entity.id) { entity }
+      mock(entity).destroyable? { false }
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      expect { resource.load_and_authorize_resource }.to raise_error(Heimdallr::AccessDenied)
+    end
+
+    it "fixates certain attributes of a new resource" do
+      params.merge! :action => 'new', :entity => {:name => 'foo'}
+      mock(Entity).new.mock!.restrict(controller.security_context, {}) { entity }
+      mock(entity).creatable? { true }
+      fixtures = {:create => {:name => 'bar'}}
+      stub(entity).reflect_on_security { {:restrictions => stub!.fixtures{fixtures}.subject} }
+      stub(entity).assign_attributes('name' => 'foo')
+      mock(entity).assign_attributes(fixtures[:create])
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_and_authorize_resource
+      controller.instance_variable_get(:@entity) == entity
+    end
+
+    it "fixates certain attributes of an updating resource" do
+      params.merge! :action => 'update', :id => entity.id, :entity => {:name => 'foo'}
+      mock(Entity).restrict(controller.security_context).stub!.find(entity.id) { entity }
+      mock(entity).modifiable? { true }
+      fixtures = {:update => {:name => 'bar'}}
+      stub(entity).reflect_on_security { {:restrictions => stub!.fixtures{fixtures}.subject} }
+      stub(entity).assign_attributes('name' => 'foo')
+      mock(entity).assign_attributes(fixtures[:update])
+      resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+      resource.load_and_authorize_resource
+      controller.instance_variable_get(:@entity) == entity
+    end
+
+    context "when controller.skip_authorization_check? is true" do
+      before { stub(controller).skip_authorization_check? { true } }
+
+      it "doesn't raise AccessDenied" do
+        params.merge! :action => 'destroy', :id => entity.id
+        mock(Entity).restrict(controller.security_context).stub!.find(entity.id) { entity }
+        stub(entity).destroyable? { false }
+        resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+        expect { resource.load_and_authorize_resource }.not_to raise_error(Heimdallr::AccessDenied)
+      end
+
+      it "doesn't fixate attributes" do
+        params.merge! :action => 'new', :entity => {:name => 'foo'}
+        mock(Entity).new.mock!.restrict(controller.security_context, {}) { entity }
+        stub(entity).creatable? { true }
+        fixtures = {:create => {:name => 'bar'}}
+        stub(entity).reflect_on_security { {:restrictions => stub!.fixtures{fixtures}.subject} }
+        stub(entity).assign_attributes('name' => 'foo')
+        dont_allow(entity).assign_attributes(fixtures[:create])
+        resource = Heimdallr::ResourceImplementation.new controller, :resource => 'entity'
+        resource.load_and_authorize_resource
+        controller.instance_variable_get(:@entity) == entity
+      end
+    end
+  end
+end