load_and_authorize_resource 0.2.0 → 0.3.0

data/README.md

@@ -136,9 +136,21 @@ For parent resources, `current_user.can_read?(@parent)` is consulted. If false,
 
 If none of the parent IDs are present, e.g. `person_id` and `group_id` are both absent in `params`, then a `LoadAndAuthorizeResource::ParameterMissing` exception is raised.
 
+### Specifying Type of Authorization Required
+
+When authorizing a parent resource, you may wish to check a permission other than `:read`. If so, specify the `permit` option:
+
+```ruby
+class NotesController < ApplicationController
+  load_and_authorize_parent :person, permit: :edit
+end
+```
+
+Instead of asking `current_user.can_read?(person)`, LARR will ask `current_user.can_edit?(person)`.
+
 ### Shallow (Optional) Routes
 
-You can make the parent loading and authorization optional by making it `optional`:
+You can make the parent loading and authorization optional:
 
 ```ruby
 class NotesController < ApplicationController

data/lib/load_and_authorize_resource.rb

@@ -54,7 +54,7 @@ module LoadAndAuthorizeResource
     #
     # If we've exhausted our list of potential parent resources without
     # seeing the needed parameter (:person_id or :group_id), then a
-    # LoadAndAuthorizeResource::ParameterMissing error is raised.
+    # {LoadAndAuthorizeResource::ParameterMissing} error is raised.
     #
     # Note: load_parent assumes you've only nested your route a single
     # layer deep, e.g. /parents/1/children/2
@@ -74,7 +74,7 @@ module LoadAndAuthorizeResource
     # optional and some not:
     #
     #     class NotesController < ApplicationController
-    #       load_parent :person, group, optional: true
+    #       load_parent :person, :group, optional: true
     #       load_parent :book
     #     end
     #
@@ -115,7 +115,7 @@ module LoadAndAuthorizeResource
     def load_parent(*names)
       options = names.extract_options!.dup
       required = !(options.delete(:shallow) || options.delete(:optional))
-      save_nested_resource_options(:load, names, required)
+      save_nested_resource_options(:load, names, required: required)
       define_scope_method(names, options.delete(:children))
       before_filter :load_parent, options
     end
@@ -128,7 +128,7 @@ module LoadAndAuthorizeResource
     #     end
     #
     # If `@group` is not found, or calling `current_user.can_read?(@group)` fails,
-    # an exception will be raised.
+    # an {LoadAndAuthorizeResource::AccessDenied} exception will be raised.
     #
     # If the parent resource is optional, and you only want to check authorization
     # if it is set, you can set the `:shallow` option to `true`:
@@ -138,13 +138,15 @@ module LoadAndAuthorizeResource
     #     end
     #
     # @option options [Boolean] :shallow set to true to allow non-nested routes, e.g. `/notes` in addition to `/people/1/notes`
+    # @option options [Boolean] :permit set to permission that should be consulted, e.g. :edit, :delete (defaults to :read)
     # @option options [Boolean] :except controller actions to ignore when applying this filter
     # @option options [Boolean] :only controller actions to apply this filter
     #
     def authorize_parent(*names)
       options = names.extract_options!.dup
       required = !(options.delete(:shallow) || options.delete(:optional))
-      save_nested_resource_options(:auth, names, required)
+      permit = options.delete(:permit) || :read
+      save_nested_resource_options(:auth, names, required: required, permit: permit)
       before_filter :authorize_parent, options
     end
 
@@ -162,12 +164,9 @@ module LoadAndAuthorizeResource
     #       load_resource
     #     end
     #
-    # ...automatically finds the note for actions
-    # `show`, `edit`, `update`, and `destroy`.
+    # ...automatically finds the note for actions `show`, `edit`, `update`, and `destroy`.
     #
-    # For the `new` action, simply instantiates a
-    # new resource. For `create`, instantiates and
-    # sets attributes to `<resource>_params`.
+    # For the `new` action, simply instantiates a new resource. For `create`, instantiates and sets attributes to `<resource>_params`.
     #
     # @option options [Boolean] :except controller actions to ignore when applying this filter
     # @option options [Boolean] :only controller actions to apply this filter (default is show, new, create, edit, update, and destroy)
@@ -184,7 +183,7 @@ module LoadAndAuthorizeResource
 
     # Checks authorization on the already-loaded resource.
     #
-    # This method calls `current_user.can_<action>?(@resource)` and raises an exception if the answer is 'no'.
+    # This method calls `current_user.can_<action>?(@resource)` and raises an {LoadAndAuthorizeResource::AccessDenied} exception if the answer is 'no'.
     #
     # @option options [Boolean] :except controller actions to ignore when applying this filter
     # @option options [Boolean] :only controller actions to apply this filter
@@ -242,10 +241,10 @@ module LoadAndAuthorizeResource
     end
 
     # Stores groups of names and options (required) on a class attribute on the controller
-    def save_nested_resource_options(key, names, required)
+    def save_nested_resource_options(key, names, options)
       self.nested_resource_options ||= {}
       self.nested_resource_options[key] ||= []
-      group = {resources: names, required: required}
+      group = options.merge(resources: names)
       self.nested_resource_options[key] << group
     end
   end
@@ -294,7 +293,7 @@ module LoadAndAuthorizeResource
           raise ParameterMissing.new('parent resource not found')
         end
         if parent
-          authorize_resource(parent, :read)
+          authorize_resource(parent, group[:permit])
         end
       end
     end

metadata

@@ -2,14 +2,14 @@
 name: load_and_authorize_resource
 version: !ruby/object:Gem::Version
   prerelease: 
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Tim Morgan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-12 00:00:00.000000000 Z
+date: 2013-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   prerelease: false
@@ -82,7 +82,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - README.md
-- lib/load_and_authorize_resource.rb.20130712142746.patch
 - lib/load_and_authorize_resource.rb
 homepage: https://github.com/seven1m/load_and_authorize_resource
 licenses: []

data/lib/load_and_authorize_resource.rb.20130712142746.patch

@@ -1,37 +0,0 @@
---- lib/load_and_authorize_resource.rb	2013-07-11 21:52:43.091465423 -0500
-+++ /tmp/vu0jgwl/146	2013-07-12 14:27:46.872763565 -0500
-@@ -178,6 +178,7 @@
-       unless options[:only] or options[:except]
-         options.reverse_merge!(only: [:show, :new, :create, :edit, :update, :destroy])
-       end
-+      define_scope_method([], options.delete(:children))
-       before_filter :load_resource, options
-     end
- 
-@@ -224,15 +225,19 @@
-     # that returns a scoped relation, either @parent.notes, or Note itself.
-     def define_scope_method(parents, name=nil)
-       name ||= resource_accessor_name
--      define_method(name) do
--        parents.each do |parent|
--          if resource = instance_variable_get("@#{parent}")
--            return resource.send(name).scoped
-+      nested_resource_options[:accessors] ||= []
-+      unless nested_resource_options[:accessors].include?(name)
-+        nested_resource_options[:accessors] << name
-+        define_method(name) do
-+          parents.each do |parent|
-+            if resource = instance_variable_get("@#{parent}")
-+              return resource.send(name).scoped
-+            end
-           end
-+          name.to_s.classify.constantize.scoped
-         end
--        name.to_s.classify.constantize.scoped
-+        private(name)
-       end
--      private(name)
-     end
- 
-     # Stores groups of names and options (required) on a class attribute on the controller
-