load_and_authorize_resource 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +13 -1
- data/lib/load_and_authorize_resource.rb +13 -14
- metadata +2 -3
- data/lib/load_and_authorize_resource.rb.20130712142746.patch +0 -37
data/README.md
CHANGED
@@ -136,9 +136,21 @@ For parent resources, `current_user.can_read?(@parent)` is consulted. If false,
|
|
136
136
|
|
137
137
|
If none of the parent IDs are present, e.g. `person_id` and `group_id` are both absent in `params`, then a `LoadAndAuthorizeResource::ParameterMissing` exception is raised.
|
138
138
|
|
139
|
+
### Specifying Type of Authorization Required
|
140
|
+
|
141
|
+
When authorizing a parent resource, you may wish to check a permission other than `:read`. If so, specify the `permit` option:
|
142
|
+
|
143
|
+
```ruby
|
144
|
+
class NotesController < ApplicationController
|
145
|
+
load_and_authorize_parent :person, permit: :edit
|
146
|
+
end
|
147
|
+
```
|
148
|
+
|
149
|
+
Instead of asking `current_user.can_read?(person)`, LARR will ask `current_user.can_edit?(person)`.
|
150
|
+
|
139
151
|
### Shallow (Optional) Routes
|
140
152
|
|
141
|
-
You can make the parent loading and authorization optional
|
153
|
+
You can make the parent loading and authorization optional:
|
142
154
|
|
143
155
|
```ruby
|
144
156
|
class NotesController < ApplicationController
|
@@ -54,7 +54,7 @@ module LoadAndAuthorizeResource
|
|
54
54
|
#
|
55
55
|
# If we've exhausted our list of potential parent resources without
|
56
56
|
# seeing the needed parameter (:person_id or :group_id), then a
|
57
|
-
# LoadAndAuthorizeResource::ParameterMissing error is raised.
|
57
|
+
# {LoadAndAuthorizeResource::ParameterMissing} error is raised.
|
58
58
|
#
|
59
59
|
# Note: load_parent assumes you've only nested your route a single
|
60
60
|
# layer deep, e.g. /parents/1/children/2
|
@@ -74,7 +74,7 @@ module LoadAndAuthorizeResource
|
|
74
74
|
# optional and some not:
|
75
75
|
#
|
76
76
|
# class NotesController < ApplicationController
|
77
|
-
# load_parent :person, group, optional: true
|
77
|
+
# load_parent :person, :group, optional: true
|
78
78
|
# load_parent :book
|
79
79
|
# end
|
80
80
|
#
|
@@ -115,7 +115,7 @@ module LoadAndAuthorizeResource
|
|
115
115
|
def load_parent(*names)
|
116
116
|
options = names.extract_options!.dup
|
117
117
|
required = !(options.delete(:shallow) || options.delete(:optional))
|
118
|
-
save_nested_resource_options(:load, names, required)
|
118
|
+
save_nested_resource_options(:load, names, required: required)
|
119
119
|
define_scope_method(names, options.delete(:children))
|
120
120
|
before_filter :load_parent, options
|
121
121
|
end
|
@@ -128,7 +128,7 @@ module LoadAndAuthorizeResource
|
|
128
128
|
# end
|
129
129
|
#
|
130
130
|
# If `@group` is not found, or calling `current_user.can_read?(@group)` fails,
|
131
|
-
# an exception will be raised.
|
131
|
+
# an {LoadAndAuthorizeResource::AccessDenied} exception will be raised.
|
132
132
|
#
|
133
133
|
# If the parent resource is optional, and you only want to check authorization
|
134
134
|
# if it is set, you can set the `:shallow` option to `true`:
|
@@ -138,13 +138,15 @@ module LoadAndAuthorizeResource
|
|
138
138
|
# end
|
139
139
|
#
|
140
140
|
# @option options [Boolean] :shallow set to true to allow non-nested routes, e.g. `/notes` in addition to `/people/1/notes`
|
141
|
+
# @option options [Boolean] :permit set to permission that should be consulted, e.g. :edit, :delete (defaults to :read)
|
141
142
|
# @option options [Boolean] :except controller actions to ignore when applying this filter
|
142
143
|
# @option options [Boolean] :only controller actions to apply this filter
|
143
144
|
#
|
144
145
|
def authorize_parent(*names)
|
145
146
|
options = names.extract_options!.dup
|
146
147
|
required = !(options.delete(:shallow) || options.delete(:optional))
|
147
|
-
|
148
|
+
permit = options.delete(:permit) || :read
|
149
|
+
save_nested_resource_options(:auth, names, required: required, permit: permit)
|
148
150
|
before_filter :authorize_parent, options
|
149
151
|
end
|
150
152
|
|
@@ -162,12 +164,9 @@ module LoadAndAuthorizeResource
|
|
162
164
|
# load_resource
|
163
165
|
# end
|
164
166
|
#
|
165
|
-
# ...automatically finds the note for actions
|
166
|
-
# `show`, `edit`, `update`, and `destroy`.
|
167
|
+
# ...automatically finds the note for actions `show`, `edit`, `update`, and `destroy`.
|
167
168
|
#
|
168
|
-
# For the `new` action, simply instantiates a
|
169
|
-
# new resource. For `create`, instantiates and
|
170
|
-
# sets attributes to `<resource>_params`.
|
169
|
+
# For the `new` action, simply instantiates a new resource. For `create`, instantiates and sets attributes to `<resource>_params`.
|
171
170
|
#
|
172
171
|
# @option options [Boolean] :except controller actions to ignore when applying this filter
|
173
172
|
# @option options [Boolean] :only controller actions to apply this filter (default is show, new, create, edit, update, and destroy)
|
@@ -184,7 +183,7 @@ module LoadAndAuthorizeResource
|
|
184
183
|
|
185
184
|
# Checks authorization on the already-loaded resource.
|
186
185
|
#
|
187
|
-
# This method calls `current_user.can_<action>?(@resource)` and raises an exception if the answer is 'no'.
|
186
|
+
# This method calls `current_user.can_<action>?(@resource)` and raises an {LoadAndAuthorizeResource::AccessDenied} exception if the answer is 'no'.
|
188
187
|
#
|
189
188
|
# @option options [Boolean] :except controller actions to ignore when applying this filter
|
190
189
|
# @option options [Boolean] :only controller actions to apply this filter
|
@@ -242,10 +241,10 @@ module LoadAndAuthorizeResource
|
|
242
241
|
end
|
243
242
|
|
244
243
|
# Stores groups of names and options (required) on a class attribute on the controller
|
245
|
-
def save_nested_resource_options(key, names,
|
244
|
+
def save_nested_resource_options(key, names, options)
|
246
245
|
self.nested_resource_options ||= {}
|
247
246
|
self.nested_resource_options[key] ||= []
|
248
|
-
group =
|
247
|
+
group = options.merge(resources: names)
|
249
248
|
self.nested_resource_options[key] << group
|
250
249
|
end
|
251
250
|
end
|
@@ -294,7 +293,7 @@ module LoadAndAuthorizeResource
|
|
294
293
|
raise ParameterMissing.new('parent resource not found')
|
295
294
|
end
|
296
295
|
if parent
|
297
|
-
authorize_resource(parent, :
|
296
|
+
authorize_resource(parent, group[:permit])
|
298
297
|
end
|
299
298
|
end
|
300
299
|
end
|
metadata
CHANGED
@@ -2,14 +2,14 @@
|
|
2
2
|
name: load_and_authorize_resource
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.
|
5
|
+
version: 0.3.0
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Tim Morgan
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-
|
12
|
+
date: 2013-08-25 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
prerelease: false
|
@@ -82,7 +82,6 @@ extensions: []
|
|
82
82
|
extra_rdoc_files: []
|
83
83
|
files:
|
84
84
|
- README.md
|
85
|
-
- lib/load_and_authorize_resource.rb.20130712142746.patch
|
86
85
|
- lib/load_and_authorize_resource.rb
|
87
86
|
homepage: https://github.com/seven1m/load_and_authorize_resource
|
88
87
|
licenses: []
|
@@ -1,37 +0,0 @@
|
|
1
|
-
--- lib/load_and_authorize_resource.rb 2013-07-11 21:52:43.091465423 -0500
|
2
|
-
+++ /tmp/vu0jgwl/146 2013-07-12 14:27:46.872763565 -0500
|
3
|
-
@@ -178,6 +178,7 @@
|
4
|
-
unless options[:only] or options[:except]
|
5
|
-
options.reverse_merge!(only: [:show, :new, :create, :edit, :update, :destroy])
|
6
|
-
end
|
7
|
-
+ define_scope_method([], options.delete(:children))
|
8
|
-
before_filter :load_resource, options
|
9
|
-
end
|
10
|
-
|
11
|
-
@@ -224,15 +225,19 @@
|
12
|
-
# that returns a scoped relation, either @parent.notes, or Note itself.
|
13
|
-
def define_scope_method(parents, name=nil)
|
14
|
-
name ||= resource_accessor_name
|
15
|
-
- define_method(name) do
|
16
|
-
- parents.each do |parent|
|
17
|
-
- if resource = instance_variable_get("@#{parent}")
|
18
|
-
- return resource.send(name).scoped
|
19
|
-
+ nested_resource_options[:accessors] ||= []
|
20
|
-
+ unless nested_resource_options[:accessors].include?(name)
|
21
|
-
+ nested_resource_options[:accessors] << name
|
22
|
-
+ define_method(name) do
|
23
|
-
+ parents.each do |parent|
|
24
|
-
+ if resource = instance_variable_get("@#{parent}")
|
25
|
-
+ return resource.send(name).scoped
|
26
|
-
+ end
|
27
|
-
end
|
28
|
-
+ name.to_s.classify.constantize.scoped
|
29
|
-
end
|
30
|
-
- name.to_s.classify.constantize.scoped
|
31
|
-
+ private(name)
|
32
|
-
end
|
33
|
-
- private(name)
|
34
|
-
end
|
35
|
-
|
36
|
-
# Stores groups of names and options (required) on a class attribute on the controller
|
37
|
-
|