marnen-cancan 2.0.0.alpha.pre.f1cebde51a87be149b4970a3287826bb63c0ac0b
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/CHANGELOG.rdoc +381 -0
- data/Gemfile +3 -0
- data/LICENSE +20 -0
- data/README.rdoc +108 -0
- data/Rakefile +18 -0
- data/init.rb +1 -0
- data/lib/cancan.rb +13 -0
- data/lib/cancan/ability.rb +348 -0
- data/lib/cancan/controller_additions.rb +392 -0
- data/lib/cancan/controller_resource.rb +265 -0
- data/lib/cancan/exceptions.rb +53 -0
- data/lib/cancan/inherited_resource.rb +20 -0
- data/lib/cancan/matchers.rb +14 -0
- data/lib/cancan/model_adapters/abstract_adapter.rb +56 -0
- data/lib/cancan/model_adapters/active_record_adapter.rb +172 -0
- data/lib/cancan/model_adapters/data_mapper_adapter.rb +34 -0
- data/lib/cancan/model_adapters/default_adapter.rb +7 -0
- data/lib/cancan/model_adapters/mongoid_adapter.rb +54 -0
- data/lib/cancan/model_additions.rb +29 -0
- data/lib/cancan/rule.rb +178 -0
- data/lib/generators/cancan/ability/USAGE +5 -0
- data/lib/generators/cancan/ability/ability_generator.rb +16 -0
- data/lib/generators/cancan/ability/templates/ability.rb +24 -0
- data/lib/generators/cancan/ability/templates/ability_spec.rb +16 -0
- data/lib/generators/cancan/ability/templates/ability_test.rb +10 -0
- data/spec/README.rdoc +28 -0
- data/spec/cancan/ability_spec.rb +541 -0
- data/spec/cancan/controller_additions_spec.rb +118 -0
- data/spec/cancan/controller_resource_spec.rb +535 -0
- data/spec/cancan/exceptions_spec.rb +58 -0
- data/spec/cancan/inherited_resource_spec.rb +58 -0
- data/spec/cancan/matchers_spec.rb +33 -0
- data/spec/cancan/model_adapters/active_record_adapter_spec.rb +278 -0
- data/spec/cancan/model_adapters/data_mapper_adapter_spec.rb +120 -0
- data/spec/cancan/model_adapters/default_adapter_spec.rb +7 -0
- data/spec/cancan/model_adapters/mongoid_adapter_spec.rb +227 -0
- data/spec/cancan/rule_spec.rb +55 -0
- data/spec/matchers.rb +13 -0
- data/spec/spec_helper.rb +49 -0
- metadata +197 -0
checksums.yaml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
!binary "U0hBMQ==":
|
3
|
+
metadata.gz: !binary |-
|
4
|
+
NWNiYzE4OTYwMjRlYzgzYjRjODcwYTNjMWZlZjUzYmNkZDg0MzZkOA==
|
5
|
+
data.tar.gz: !binary |-
|
6
|
+
ZDM4Y2FlZGU5ODAxN2FiNWIwNzFiZDI5MDc3MjAwNmI1ZTQxMjUyMA==
|
7
|
+
SHA512:
|
8
|
+
metadata.gz: !binary |-
|
9
|
+
ZmQwYTZmYzQwNjE2OGQ1MjU3MTdmMzEwYTA3Yjk3ZDhmZWRmYjAwY2U3YjVk
|
10
|
+
ZTc2NmRkYjE5Y2U4OGY4N2NjMzdkNzljZDcyMmYyZmU3YWZjYzYwMTJkYWM0
|
11
|
+
YmNkNWVlYjhmNmIwYWE3MjcxZGVmYTI0YTFiOTY4YzdjNDYyOWE=
|
12
|
+
data.tar.gz: !binary |-
|
13
|
+
ZGJmODAyNjAwN2UzNmY1YTA5MTc3MDIwYjc0MmEyMjA3NDFhOGRmYWI4NTQw
|
14
|
+
YzIyMTAxMGMwYzNmMTBhOWJiNDcxNDRkZWNhNDkxZjQ5YjgyNDAxYjEyZTMx
|
15
|
+
ZDNkMjg0MmNlNzMwZTY0Nzk5YWEwMTFjNmNmY2ZkNmFmOWMzYWY=
|
data/CHANGELOG.rdoc
ADDED
@@ -0,0 +1,381 @@
|
|
1
|
+
1.6.8 (June 25, 2012)
|
2
|
+
|
3
|
+
* improved support for namespaced controllers and models
|
4
|
+
|
5
|
+
* pass :if and :unless options for load and authorize resource (thanks mauriciozaffari)
|
6
|
+
|
7
|
+
* Travis CI badge (thanks plentz)
|
8
|
+
|
9
|
+
* adding Ability#merge for combining multiple abilities (thanks rogercampos)
|
10
|
+
|
11
|
+
* support for multiple MetaWhere rules (thanks andhapp)
|
12
|
+
|
13
|
+
* various fixes for DataMapper, Mongoid, and Inherited Resource integration
|
14
|
+
|
15
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.7...1.6.8]
|
16
|
+
|
17
|
+
|
18
|
+
1.6.7 (October 4, 2011)
|
19
|
+
|
20
|
+
* fixing nested resource problem caused by namespace addition - issue #482
|
21
|
+
|
22
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.6...1.6.7]
|
23
|
+
|
24
|
+
|
25
|
+
1.6.6 (September 28, 2011)
|
26
|
+
|
27
|
+
* correct "return cant jump across threads" error when using check_authorization (thanks codeprimate) - issues #463, #469
|
28
|
+
|
29
|
+
* fixing tests in development by specifying with_model version (thanks kirkconnell) - issue #476
|
30
|
+
|
31
|
+
* added travis.yml file for TravisCI support (thanks bai) - issue #427
|
32
|
+
|
33
|
+
* better support for namespaced models (thanks whilefalse) - issues #424
|
34
|
+
|
35
|
+
* adding :id_param option to load_and_authorize_resource (thanks skhisma) - issue #425
|
36
|
+
|
37
|
+
* make default unauthorized message translatable text (thanks nhocki) - issue #409
|
38
|
+
|
39
|
+
* improving DataMapper behavior (thanks psanford, maxsum-corin) - issue #410, #373
|
40
|
+
|
41
|
+
* allow :find_by option to be full find method name - issue #335
|
42
|
+
|
43
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.5...1.6.6]
|
44
|
+
|
45
|
+
|
46
|
+
1.6.5 (May 18, 2011)
|
47
|
+
|
48
|
+
* pass action and subject through AccessDenied exception when :through isn't found - issue #366
|
49
|
+
|
50
|
+
* many Mongoid adapter improvements (thanks rahearn, cardagin) - issues #363, #352, #343
|
51
|
+
|
52
|
+
* allow :through option to work with private controller methods - issue #360
|
53
|
+
|
54
|
+
* ensure Mongoid::Document is defined before loading Mongoid adapter - issue #359
|
55
|
+
|
56
|
+
* many DataMapper adapter improvements (thanks emmanuel) - issue #355
|
57
|
+
|
58
|
+
* handle checking nil attributes through associations (thanks thatothermitch) - issue #330
|
59
|
+
|
60
|
+
* improve scope merging - issue #328
|
61
|
+
|
62
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.4...1.6.5]
|
63
|
+
|
64
|
+
|
65
|
+
1.6.4 (March 29, 2011)
|
66
|
+
|
67
|
+
* Fixed mongoid 'or' error - see issue #322
|
68
|
+
|
69
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.3...1.6.4]
|
70
|
+
|
71
|
+
|
72
|
+
1.6.3 (March 25, 2011)
|
73
|
+
|
74
|
+
* Make sure ActiveRecord::Relation is defined before checking conditions against it so Rails 2 is supported again - see issue #312
|
75
|
+
|
76
|
+
* Return subject passed to authorize! - see issue #314
|
77
|
+
|
78
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.2...1.6.3]
|
79
|
+
|
80
|
+
|
81
|
+
1.6.2 (March 18, 2011)
|
82
|
+
|
83
|
+
* Fixed instance loading when :singleton option is used - see issue #310
|
84
|
+
|
85
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.1...1.6.2]
|
86
|
+
|
87
|
+
|
88
|
+
1.6.1 (March 15, 2011)
|
89
|
+
|
90
|
+
* Use Item.new instead of build_item for singleton resource so it doesn't effect database - see issue #304
|
91
|
+
|
92
|
+
* Made accessible_by action default to :index and parent action default to :show instead of :read - see issue #302
|
93
|
+
|
94
|
+
* Reverted Inherited Resources "collection" override since it doesn't seem to be working - see issue #305
|
95
|
+
|
96
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.0...1.6.1]
|
97
|
+
|
98
|
+
|
99
|
+
1.6.0 (March 11, 2011)
|
100
|
+
|
101
|
+
* Added MetaWhere support - see issue #194 and #261
|
102
|
+
|
103
|
+
* Allow Active Record scopes in Ability conditions - see issue #257
|
104
|
+
|
105
|
+
* Added :if and :unless options to check_authorization - see issue #284
|
106
|
+
|
107
|
+
* Several Inherited Resources fixes (thanks aq1018, tanordheim and stefanoverna)
|
108
|
+
|
109
|
+
* Pass action name to accessible_by call when loading a collection (thanks amw)
|
110
|
+
|
111
|
+
* Added :prepend option to load_and_authorize_resource to load before other filters - see issue #290
|
112
|
+
|
113
|
+
* Fixed spacing issue in I18n message for multi-word model names - see issue #292
|
114
|
+
|
115
|
+
* Load resource collection for any action which doesn't have an "id" parameter - see issue #296
|
116
|
+
|
117
|
+
* Raise an exception when trying to make a Ability condition with both a hash of conditions and a block - see issue #269
|
118
|
+
|
119
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.5.1...1.6.0]
|
120
|
+
|
121
|
+
|
122
|
+
1.5.1 (January 20, 2011)
|
123
|
+
|
124
|
+
* Fixing deeply nested conditions in Active Record adapter - see issue #246
|
125
|
+
|
126
|
+
* Improving Mongoid support for multiple can and cannot definitions (thanks stellard) - see issue #239
|
127
|
+
|
128
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.5.0...1.5.1]
|
129
|
+
|
130
|
+
|
131
|
+
1.5.0 (January 11, 2011)
|
132
|
+
|
133
|
+
* Added an Ability generator - see issue #170
|
134
|
+
|
135
|
+
* Added DataMapper support (thanks natemueller)
|
136
|
+
|
137
|
+
* Added Mongoid support (thanks bowsersenior)
|
138
|
+
|
139
|
+
* Added skip_load_and_authorize_resource methods to controller class - see issue #164
|
140
|
+
|
141
|
+
* Added support for uncountable resources in index action - see issue #193
|
142
|
+
|
143
|
+
* Cleaned up README and added spec/README
|
144
|
+
|
145
|
+
* Internal: renamed CanDefinition to Rule
|
146
|
+
|
147
|
+
* Internal: added a model adapter layer for easily supporting more ORMs
|
148
|
+
|
149
|
+
* Internal: added .rvmrc to auto-switch to 1.8.7 with gemset - see issue #231
|
150
|
+
|
151
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.4.1...1.5.0]
|
152
|
+
|
153
|
+
|
154
|
+
1.4.1 (November 12, 2010)
|
155
|
+
|
156
|
+
* Renaming skip_authorization to skip_authorization_check - see issue #169
|
157
|
+
|
158
|
+
* Adding :through_association option to load_resource (thanks hunterae) - see issue #171
|
159
|
+
|
160
|
+
* The :shallow option now works with the :singleton option (thanks nandalopes) - see issue #187
|
161
|
+
|
162
|
+
* Play nicely with quick_scopes gem (thanks ramontayag) - see issue #183
|
163
|
+
|
164
|
+
* Fix odd behavior when "cache_classes = false" (thanks mphalliday) - see issue #174
|
165
|
+
|
166
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.4.0...1.4.1]
|
167
|
+
|
168
|
+
|
169
|
+
1.4.0 (October 5, 2010)
|
170
|
+
|
171
|
+
* Adding Gemfile; to get specs running just +bundle+ and +rake+ - see issue #163
|
172
|
+
|
173
|
+
* Stop at 'cannot' definition when there are no conditions - see issue #161
|
174
|
+
|
175
|
+
* The :through option will now call a method with that name if instance variable doesn't exist - see issue #146
|
176
|
+
|
177
|
+
* Adding :shallow option to load_resource to bring back old behavior of fetching a child without a parent
|
178
|
+
|
179
|
+
* Raise AccessDenied error when loading a child and parent resource isn't found
|
180
|
+
|
181
|
+
* Abilities defined on a module will apply to anything that includes that module - see issue #150 and #152
|
182
|
+
|
183
|
+
* Abilities can be defined with a string of SQL in addition to a block so accessible_by works with a block - see issue #150
|
184
|
+
|
185
|
+
* Adding better support for InheritedResource - see issue #23
|
186
|
+
|
187
|
+
* Loading the collection instance variable (for index action) using accessible_by - see issue #137
|
188
|
+
|
189
|
+
* Adding action and subject variables to I18n unauthorized message - closes #142
|
190
|
+
|
191
|
+
* Adding check_authorization and skip_authorization controller class methods to ensure authorization is performed (thanks justinko) - see issue #135
|
192
|
+
|
193
|
+
* Setting initial attributes based on ability conditions in new/create actions - see issue #114
|
194
|
+
|
195
|
+
* Check parent attributes for nested association in index action - see issue #121
|
196
|
+
|
197
|
+
* Supporting nesting in can? method using hash - see issue #121
|
198
|
+
|
199
|
+
* Adding I18n support for Access Denied messages (thanks EppO) - see issue #103
|
200
|
+
|
201
|
+
* Passing no arguments to +can+ definition will pass action, class, and object to block - see issue #129
|
202
|
+
|
203
|
+
* Don't pass action to block in +can+ definition when using :+manage+ option - see issue #129
|
204
|
+
|
205
|
+
* No longer calling block in +can+ definition when checking on class - see issue #116
|
206
|
+
|
207
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.4...1.4.0]
|
208
|
+
|
209
|
+
|
210
|
+
1.3.4 (August 31, 2010)
|
211
|
+
|
212
|
+
* Don't stop at +cannot+ with hash conditions when checking class (thanks tamoya) - see issue #131
|
213
|
+
|
214
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.3...1.3.4]
|
215
|
+
|
216
|
+
|
217
|
+
1.3.3 (August 20, 2010)
|
218
|
+
|
219
|
+
* Switching to Rspec namespace to remove deprecation warning in Rspec 2 - see issue #119
|
220
|
+
|
221
|
+
* Pluralize nested associations for conditions in accessible_by (thanks mlooney) - see issue #123
|
222
|
+
|
223
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.2...1.3.3]
|
224
|
+
|
225
|
+
|
226
|
+
1.3.2 (August 7, 2010)
|
227
|
+
|
228
|
+
* Fixing slice error when passing in custom resource name - see issue #112
|
229
|
+
|
230
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.1...1.3.2]
|
231
|
+
|
232
|
+
|
233
|
+
1.3.1 (August 6, 2010)
|
234
|
+
|
235
|
+
* Fixing protected sanitize_sql error - see issue #111
|
236
|
+
|
237
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.0...1.3.1]
|
238
|
+
|
239
|
+
|
240
|
+
1.3.0 (August 6, 2010)
|
241
|
+
|
242
|
+
* Adding :find_by option to load_resource - see issue #19
|
243
|
+
|
244
|
+
* Adding :singleton option to load_resource - see issue #93
|
245
|
+
|
246
|
+
* Supporting multiple resources in :through option for polymorphic associations - see issue #73
|
247
|
+
|
248
|
+
* Supporting Single Table Inheritance for "can" comparisons - see issue #55
|
249
|
+
|
250
|
+
* Adding :instance_name option to load/authorize_resource - see issue #44
|
251
|
+
|
252
|
+
* Don't pass nil to "new" to keep MongoMapper happy - see issue #63
|
253
|
+
|
254
|
+
* Parent resources are now authorized with :read action.
|
255
|
+
|
256
|
+
* Changing :resource option in load/authorize_resource back to :class with ability to pass false
|
257
|
+
|
258
|
+
* Removing :nested option in favor of :through option with separate load/authorize call
|
259
|
+
|
260
|
+
* Moving internal logic from ResourceAuthorization to ControllerResource class
|
261
|
+
|
262
|
+
* Supporting multiple "can" and "cannot" calls with accessible_by (thanks funny-falcon) - see issue #71
|
263
|
+
|
264
|
+
* Supporting deeply nested aliases - see issue #98
|
265
|
+
|
266
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.2.0...1.3.0]
|
267
|
+
|
268
|
+
|
269
|
+
1.2.0 (July 16, 2010)
|
270
|
+
|
271
|
+
* Load nested parent resources on collection actions such as "index" (thanks dohzya)
|
272
|
+
|
273
|
+
* Adding :name option to load_and_authorize_resource if it does not match controller - see issue #65
|
274
|
+
|
275
|
+
* Fixing issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66
|
276
|
+
|
277
|
+
* Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62
|
278
|
+
|
279
|
+
* Support has_many association or arrays in can conditions hash
|
280
|
+
|
281
|
+
* Adding joins clause to accessible_by when conditions are across associations
|
282
|
+
|
283
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.1.1...1.2.0]
|
284
|
+
|
285
|
+
|
286
|
+
1.1.1 (April 17, 2010)
|
287
|
+
|
288
|
+
* Fixing behavior in Rails 3 by properly initializing ResourceAuthorization
|
289
|
+
|
290
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.1...1.1.1]
|
291
|
+
|
292
|
+
|
293
|
+
1.1.0 (April 17, 2010)
|
294
|
+
|
295
|
+
* Supporting arrays, ranges, and nested hashes in ability conditions
|
296
|
+
|
297
|
+
* Removing "unauthorized!" method in favor of "authorize!" in controllers
|
298
|
+
|
299
|
+
* Adding action, subject and default_message abilities to AccessDenied exception - see issue #40
|
300
|
+
|
301
|
+
* Adding caching to current_ability controller method, if you're overriding this be sure to add caching too.
|
302
|
+
|
303
|
+
* Adding "accessible_by" method to Active Record for fetching records matching a specific ability
|
304
|
+
|
305
|
+
* Adding conditions behavior to Ability#can and fetch with Ability#conditions - see issue #53
|
306
|
+
|
307
|
+
* Renaming :class option to :resource for load_and_authorize_resource which now supports a symbol for non models - see issue #45
|
308
|
+
|
309
|
+
* Properly handle Admin::AbilitiesController in params[:controller] - see issue #46
|
310
|
+
|
311
|
+
* Adding be_able_to RSpec matcher (thanks dchelimsky), requires Ruby 1.8.7 or higher - see issue #54
|
312
|
+
|
313
|
+
* Support additional arguments to can? which get passed to the block - see issue #48
|
314
|
+
|
315
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.0.2...1.1]
|
316
|
+
|
317
|
+
|
318
|
+
1.0.2 (Dec 30, 2009)
|
319
|
+
|
320
|
+
* Adding clear_aliased_actions to Ability which removes previously defined actions including defaults - see issue #20
|
321
|
+
|
322
|
+
* Append aliased actions (don't overwrite them) - see issue #20
|
323
|
+
|
324
|
+
* Adding custom message argument to unauthorized! method (thanks tjwallace) - see issue #18
|
325
|
+
|
326
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.0.1...1.0.2]
|
327
|
+
|
328
|
+
|
329
|
+
1.0.1 (Dec 14, 2009)
|
330
|
+
|
331
|
+
* Adding :class option to load_resource so one can customize which class to use for the model - see issue #17
|
332
|
+
|
333
|
+
* Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14
|
334
|
+
|
335
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.0.0...1.0.1]
|
336
|
+
|
337
|
+
|
338
|
+
1.0.0 (Dec 13, 2009)
|
339
|
+
|
340
|
+
* Don't set resource instance variable if it has been set already - see issue #13
|
341
|
+
|
342
|
+
* Allowing :nested option to accept an array for deep nesting
|
343
|
+
|
344
|
+
* Adding :nested option to load resource method - see issue #10
|
345
|
+
|
346
|
+
* Pass :only and :except options to before filters for load/authorize resource methods.
|
347
|
+
|
348
|
+
* Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
|
349
|
+
|
350
|
+
* BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
|
351
|
+
|
352
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/0.2.1...1.0.0]
|
353
|
+
|
354
|
+
|
355
|
+
0.2.1 (Nov 26, 2009)
|
356
|
+
|
357
|
+
* many internal refactorings - see issues #11 and #12
|
358
|
+
|
359
|
+
* adding "cannot" method to define which abilities cannot be done - see issue #7
|
360
|
+
|
361
|
+
* support custom objects (usually symbols) in can definition - see issue #8
|
362
|
+
|
363
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/0.2.0...0.2.1]
|
364
|
+
|
365
|
+
|
366
|
+
0.2.0 (Nov 17, 2009)
|
367
|
+
|
368
|
+
* fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3
|
369
|
+
|
370
|
+
* support arrays being passed to "can" to specify multiple actions or classes - see issue #2
|
371
|
+
|
372
|
+
* adding "cannot?" method to ability, controller, and view which is inverse of "can?" - see issue #1
|
373
|
+
|
374
|
+
* BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - see issue #4
|
375
|
+
|
376
|
+
* {see the full list of changes}[https://github.com/ryanb/cancan/compare/0.1.0...0.2.0]
|
377
|
+
|
378
|
+
|
379
|
+
0.1.0 (Nov 16, 2009)
|
380
|
+
|
381
|
+
* initial release
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2011 Ryan Bates
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,108 @@
|
|
1
|
+
= CanCan {<img src="https://secure.travis-ci.org/ryanb/cancan.png" />}[http://travis-ci.org/ryanb/cancan]
|
2
|
+
|
3
|
+
This is the branch for CanCan 2.0 which is in very early development. For a stable release please check out the {master branch}[https://github.com/ryanb/cancan]
|
4
|
+
|
5
|
+
Here are some instructions for setting up CanCan 2.0. Try this out and provide feedback in the {issue tracker}[https://github.com/ryanb/cancan/issues].
|
6
|
+
|
7
|
+
|
8
|
+
== Setup
|
9
|
+
|
10
|
+
CanCan expects your controllers to have a +current_user+ method. Add some authentication for this (such as Devise[https://github.com/plataformatec/devise], Authlogic[https://github.com/binarylogic/authlogic] or {nifty:authentication}[https://github.com/ryanb/nifty-generators]). See {Changing Defaults}[https://github.com/ryanb/cancan/wiki/Changing-Defaults] to customize this behavior.
|
11
|
+
|
12
|
+
To install CanCan, add it to your Gemfile and run the `bundle` command.
|
13
|
+
|
14
|
+
gem "cancan", :git => "git://github.com/ryanb/cancan.git", :branch => "2.0"
|
15
|
+
|
16
|
+
Next generate an Ability class, this is where your permissions will be defined.
|
17
|
+
|
18
|
+
rails g cancan:ability
|
19
|
+
|
20
|
+
Add authorization by calling {enable_authorization}[https://github.com/ryanb/cancan/wiki/enable_authorization] in your ApplicationController.
|
21
|
+
|
22
|
+
class ApplicationController < ActionController::Base
|
23
|
+
enable_authorization
|
24
|
+
end
|
25
|
+
|
26
|
+
This will add an authorization check locking down every controller action. If you try visiting a page, a <tt>CanCan::Unauthorized</tt> exception will be raised since you have not granted the user ability to access it.
|
27
|
+
|
28
|
+
|
29
|
+
== Defining Abilities
|
30
|
+
|
31
|
+
You grant access to controller actions through the +Ability+ class which was generated above. The +current_user+ is passed in allowing you to define permissions based on user attributes. For example:
|
32
|
+
|
33
|
+
if user
|
34
|
+
can :access, :all
|
35
|
+
else
|
36
|
+
can :access, :home
|
37
|
+
can :create, [:users, :sessions]
|
38
|
+
end
|
39
|
+
|
40
|
+
Here if there is a user he will be able to perform any action on any controller. If someone is not logged in he can only access the home, users, and sessions controllers.
|
41
|
+
|
42
|
+
The first argument to +can+ is the action the user can perform. The second argument is the controller name they can perform that action on. You can pass <tt>:access</tt> and <tt>:all</tt> to represent any action and controller respectively.
|
43
|
+
|
44
|
+
As shown above, pass an array to either of these will grant permission on each item in the array. It isn't necessary to pass the +new+ action here because CanCan includes some default aliases. See the {Aliases}[https://github.com/ryanb/cancan/wiki/Aliases] page for details.
|
45
|
+
|
46
|
+
You can check permissions in any controller or view using the <tt>can?</tt> method.
|
47
|
+
|
48
|
+
<% if can? :create, :comments %>
|
49
|
+
<%= link_to "New Comment", new_comment_path %>
|
50
|
+
<% end %>
|
51
|
+
|
52
|
+
Here the link will only show up the user can create comments.
|
53
|
+
|
54
|
+
|
55
|
+
== Resource Conditions
|
56
|
+
|
57
|
+
What if you need to change authorization based on a model's attributes? You can do so by passing a hash of conditions as the last argument to +can+. For example, if you want to only allow one to access projects which he owns you can set the <tt>:user_id</tt>.
|
58
|
+
|
59
|
+
can :access, :projects, :user_id => user.id
|
60
|
+
|
61
|
+
A block can also be used for complex condition checks just like in CanCan 1, but here it is not necessary.
|
62
|
+
|
63
|
+
If you try visiting any of the project pages at this point you will see a <tt>CanCan::InsufficientAuthorizationCheck</tt> exception is raised. This is because the default authorization has no way to check permissions on the <tt>@project</tt> instance. You can check permissions on an object manually using the <tt>authorize!</tt> method.
|
64
|
+
|
65
|
+
def edit
|
66
|
+
@project = Project.find(params[:id])
|
67
|
+
authorize! :edit, @project
|
68
|
+
end
|
69
|
+
|
70
|
+
However this can get tedious. Instead CanCan provides a +load_and_authorize_resource+ method to load the <tt>@project</tt> instance in every controller action and authorize it.
|
71
|
+
|
72
|
+
class ProjectsController < ApplicationController
|
73
|
+
load_and_authorize_resource
|
74
|
+
def edit
|
75
|
+
# @project already loaded here and authorized
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
The +index+ (and other collection actions) will load the <tt>@projects</tt> instance which automatically limits the projects the user is allowed to access. This is a scope so you can make further calls to +where+ to limit what is returned from the database.
|
80
|
+
|
81
|
+
def index
|
82
|
+
@projects = @projects.where(:hidden => false)
|
83
|
+
end
|
84
|
+
|
85
|
+
You can check permissions on instances using the <tt>can?</tt> method.
|
86
|
+
|
87
|
+
<%= link_to "Edit Project", edit_project_path if can? :update, @project %>
|
88
|
+
|
89
|
+
Here it will only show the edit link if the +user_id+ matches.
|
90
|
+
|
91
|
+
|
92
|
+
== Resource Attributes
|
93
|
+
|
94
|
+
In CanCan 2.0 it is possible to define permissions on specific resource attributes. For example, if you want to allow a user to only update the name and priority of a project, pass that as the third argument to +can+.
|
95
|
+
|
96
|
+
can :update, :projects, [:name, :priority]
|
97
|
+
|
98
|
+
If you use this in combination with +load_and_authorize_resource+ it will ensure that only those two attributes exist in <tt>params[:project]</tt> when updating the project. If you do this everywhere it will not be necessary to use +attr_accessible+ in your models.
|
99
|
+
|
100
|
+
You can combine this with a hash of conditions. For example, here the user can update all attributes except the price when the product is discontinued.
|
101
|
+
|
102
|
+
can :update, :products
|
103
|
+
cannot :update, :products, :price, :discontinued => true
|
104
|
+
|
105
|
+
You can check permissions on specific attributes to determine what to show in the form.
|
106
|
+
|
107
|
+
<%= f.text_field :name if can? :update, @project, :name %>
|
108
|
+
|