marnen-cancan 2.0.0.alpha.pre.f1cebde51a87be149b4970a3287826bb63c0ac0b

Sign up to get free protection for your applications and to get access to all the features.
Files changed (41) hide show
  1. checksums.yaml +15 -0
  2. data/CHANGELOG.rdoc +381 -0
  3. data/Gemfile +3 -0
  4. data/LICENSE +20 -0
  5. data/README.rdoc +108 -0
  6. data/Rakefile +18 -0
  7. data/init.rb +1 -0
  8. data/lib/cancan.rb +13 -0
  9. data/lib/cancan/ability.rb +348 -0
  10. data/lib/cancan/controller_additions.rb +392 -0
  11. data/lib/cancan/controller_resource.rb +265 -0
  12. data/lib/cancan/exceptions.rb +53 -0
  13. data/lib/cancan/inherited_resource.rb +20 -0
  14. data/lib/cancan/matchers.rb +14 -0
  15. data/lib/cancan/model_adapters/abstract_adapter.rb +56 -0
  16. data/lib/cancan/model_adapters/active_record_adapter.rb +172 -0
  17. data/lib/cancan/model_adapters/data_mapper_adapter.rb +34 -0
  18. data/lib/cancan/model_adapters/default_adapter.rb +7 -0
  19. data/lib/cancan/model_adapters/mongoid_adapter.rb +54 -0
  20. data/lib/cancan/model_additions.rb +29 -0
  21. data/lib/cancan/rule.rb +178 -0
  22. data/lib/generators/cancan/ability/USAGE +5 -0
  23. data/lib/generators/cancan/ability/ability_generator.rb +16 -0
  24. data/lib/generators/cancan/ability/templates/ability.rb +24 -0
  25. data/lib/generators/cancan/ability/templates/ability_spec.rb +16 -0
  26. data/lib/generators/cancan/ability/templates/ability_test.rb +10 -0
  27. data/spec/README.rdoc +28 -0
  28. data/spec/cancan/ability_spec.rb +541 -0
  29. data/spec/cancan/controller_additions_spec.rb +118 -0
  30. data/spec/cancan/controller_resource_spec.rb +535 -0
  31. data/spec/cancan/exceptions_spec.rb +58 -0
  32. data/spec/cancan/inherited_resource_spec.rb +58 -0
  33. data/spec/cancan/matchers_spec.rb +33 -0
  34. data/spec/cancan/model_adapters/active_record_adapter_spec.rb +278 -0
  35. data/spec/cancan/model_adapters/data_mapper_adapter_spec.rb +120 -0
  36. data/spec/cancan/model_adapters/default_adapter_spec.rb +7 -0
  37. data/spec/cancan/model_adapters/mongoid_adapter_spec.rb +227 -0
  38. data/spec/cancan/rule_spec.rb +55 -0
  39. data/spec/matchers.rb +13 -0
  40. data/spec/spec_helper.rb +49 -0
  41. metadata +197 -0
@@ -0,0 +1,15 @@
1
+ ---
2
+ !binary "U0hBMQ==":
3
+ metadata.gz: !binary |-
4
+ NWNiYzE4OTYwMjRlYzgzYjRjODcwYTNjMWZlZjUzYmNkZDg0MzZkOA==
5
+ data.tar.gz: !binary |-
6
+ ZDM4Y2FlZGU5ODAxN2FiNWIwNzFiZDI5MDc3MjAwNmI1ZTQxMjUyMA==
7
+ SHA512:
8
+ metadata.gz: !binary |-
9
+ ZmQwYTZmYzQwNjE2OGQ1MjU3MTdmMzEwYTA3Yjk3ZDhmZWRmYjAwY2U3YjVk
10
+ ZTc2NmRkYjE5Y2U4OGY4N2NjMzdkNzljZDcyMmYyZmU3YWZjYzYwMTJkYWM0
11
+ YmNkNWVlYjhmNmIwYWE3MjcxZGVmYTI0YTFiOTY4YzdjNDYyOWE=
12
+ data.tar.gz: !binary |-
13
+ ZGJmODAyNjAwN2UzNmY1YTA5MTc3MDIwYjc0MmEyMjA3NDFhOGRmYWI4NTQw
14
+ YzIyMTAxMGMwYzNmMTBhOWJiNDcxNDRkZWNhNDkxZjQ5YjgyNDAxYjEyZTMx
15
+ ZDNkMjg0MmNlNzMwZTY0Nzk5YWEwMTFjNmNmY2ZkNmFmOWMzYWY=
@@ -0,0 +1,381 @@
1
+ 1.6.8 (June 25, 2012)
2
+
3
+ * improved support for namespaced controllers and models
4
+
5
+ * pass :if and :unless options for load and authorize resource (thanks mauriciozaffari)
6
+
7
+ * Travis CI badge (thanks plentz)
8
+
9
+ * adding Ability#merge for combining multiple abilities (thanks rogercampos)
10
+
11
+ * support for multiple MetaWhere rules (thanks andhapp)
12
+
13
+ * various fixes for DataMapper, Mongoid, and Inherited Resource integration
14
+
15
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.7...1.6.8]
16
+
17
+
18
+ 1.6.7 (October 4, 2011)
19
+
20
+ * fixing nested resource problem caused by namespace addition - issue #482
21
+
22
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.6...1.6.7]
23
+
24
+
25
+ 1.6.6 (September 28, 2011)
26
+
27
+ * correct "return cant jump across threads" error when using check_authorization (thanks codeprimate) - issues #463, #469
28
+
29
+ * fixing tests in development by specifying with_model version (thanks kirkconnell) - issue #476
30
+
31
+ * added travis.yml file for TravisCI support (thanks bai) - issue #427
32
+
33
+ * better support for namespaced models (thanks whilefalse) - issues #424
34
+
35
+ * adding :id_param option to load_and_authorize_resource (thanks skhisma) - issue #425
36
+
37
+ * make default unauthorized message translatable text (thanks nhocki) - issue #409
38
+
39
+ * improving DataMapper behavior (thanks psanford, maxsum-corin) - issue #410, #373
40
+
41
+ * allow :find_by option to be full find method name - issue #335
42
+
43
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.5...1.6.6]
44
+
45
+
46
+ 1.6.5 (May 18, 2011)
47
+
48
+ * pass action and subject through AccessDenied exception when :through isn't found - issue #366
49
+
50
+ * many Mongoid adapter improvements (thanks rahearn, cardagin) - issues #363, #352, #343
51
+
52
+ * allow :through option to work with private controller methods - issue #360
53
+
54
+ * ensure Mongoid::Document is defined before loading Mongoid adapter - issue #359
55
+
56
+ * many DataMapper adapter improvements (thanks emmanuel) - issue #355
57
+
58
+ * handle checking nil attributes through associations (thanks thatothermitch) - issue #330
59
+
60
+ * improve scope merging - issue #328
61
+
62
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.4...1.6.5]
63
+
64
+
65
+ 1.6.4 (March 29, 2011)
66
+
67
+ * Fixed mongoid 'or' error - see issue #322
68
+
69
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.3...1.6.4]
70
+
71
+
72
+ 1.6.3 (March 25, 2011)
73
+
74
+ * Make sure ActiveRecord::Relation is defined before checking conditions against it so Rails 2 is supported again - see issue #312
75
+
76
+ * Return subject passed to authorize! - see issue #314
77
+
78
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.2...1.6.3]
79
+
80
+
81
+ 1.6.2 (March 18, 2011)
82
+
83
+ * Fixed instance loading when :singleton option is used - see issue #310
84
+
85
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.1...1.6.2]
86
+
87
+
88
+ 1.6.1 (March 15, 2011)
89
+
90
+ * Use Item.new instead of build_item for singleton resource so it doesn't effect database - see issue #304
91
+
92
+ * Made accessible_by action default to :index and parent action default to :show instead of :read - see issue #302
93
+
94
+ * Reverted Inherited Resources "collection" override since it doesn't seem to be working - see issue #305
95
+
96
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.6.0...1.6.1]
97
+
98
+
99
+ 1.6.0 (March 11, 2011)
100
+
101
+ * Added MetaWhere support - see issue #194 and #261
102
+
103
+ * Allow Active Record scopes in Ability conditions - see issue #257
104
+
105
+ * Added :if and :unless options to check_authorization - see issue #284
106
+
107
+ * Several Inherited Resources fixes (thanks aq1018, tanordheim and stefanoverna)
108
+
109
+ * Pass action name to accessible_by call when loading a collection (thanks amw)
110
+
111
+ * Added :prepend option to load_and_authorize_resource to load before other filters - see issue #290
112
+
113
+ * Fixed spacing issue in I18n message for multi-word model names - see issue #292
114
+
115
+ * Load resource collection for any action which doesn't have an "id" parameter - see issue #296
116
+
117
+ * Raise an exception when trying to make a Ability condition with both a hash of conditions and a block - see issue #269
118
+
119
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.5.1...1.6.0]
120
+
121
+
122
+ 1.5.1 (January 20, 2011)
123
+
124
+ * Fixing deeply nested conditions in Active Record adapter - see issue #246
125
+
126
+ * Improving Mongoid support for multiple can and cannot definitions (thanks stellard) - see issue #239
127
+
128
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.5.0...1.5.1]
129
+
130
+
131
+ 1.5.0 (January 11, 2011)
132
+
133
+ * Added an Ability generator - see issue #170
134
+
135
+ * Added DataMapper support (thanks natemueller)
136
+
137
+ * Added Mongoid support (thanks bowsersenior)
138
+
139
+ * Added skip_load_and_authorize_resource methods to controller class - see issue #164
140
+
141
+ * Added support for uncountable resources in index action - see issue #193
142
+
143
+ * Cleaned up README and added spec/README
144
+
145
+ * Internal: renamed CanDefinition to Rule
146
+
147
+ * Internal: added a model adapter layer for easily supporting more ORMs
148
+
149
+ * Internal: added .rvmrc to auto-switch to 1.8.7 with gemset - see issue #231
150
+
151
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.4.1...1.5.0]
152
+
153
+
154
+ 1.4.1 (November 12, 2010)
155
+
156
+ * Renaming skip_authorization to skip_authorization_check - see issue #169
157
+
158
+ * Adding :through_association option to load_resource (thanks hunterae) - see issue #171
159
+
160
+ * The :shallow option now works with the :singleton option (thanks nandalopes) - see issue #187
161
+
162
+ * Play nicely with quick_scopes gem (thanks ramontayag) - see issue #183
163
+
164
+ * Fix odd behavior when "cache_classes = false" (thanks mphalliday) - see issue #174
165
+
166
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.4.0...1.4.1]
167
+
168
+
169
+ 1.4.0 (October 5, 2010)
170
+
171
+ * Adding Gemfile; to get specs running just +bundle+ and +rake+ - see issue #163
172
+
173
+ * Stop at 'cannot' definition when there are no conditions - see issue #161
174
+
175
+ * The :through option will now call a method with that name if instance variable doesn't exist - see issue #146
176
+
177
+ * Adding :shallow option to load_resource to bring back old behavior of fetching a child without a parent
178
+
179
+ * Raise AccessDenied error when loading a child and parent resource isn't found
180
+
181
+ * Abilities defined on a module will apply to anything that includes that module - see issue #150 and #152
182
+
183
+ * Abilities can be defined with a string of SQL in addition to a block so accessible_by works with a block - see issue #150
184
+
185
+ * Adding better support for InheritedResource - see issue #23
186
+
187
+ * Loading the collection instance variable (for index action) using accessible_by - see issue #137
188
+
189
+ * Adding action and subject variables to I18n unauthorized message - closes #142
190
+
191
+ * Adding check_authorization and skip_authorization controller class methods to ensure authorization is performed (thanks justinko) - see issue #135
192
+
193
+ * Setting initial attributes based on ability conditions in new/create actions - see issue #114
194
+
195
+ * Check parent attributes for nested association in index action - see issue #121
196
+
197
+ * Supporting nesting in can? method using hash - see issue #121
198
+
199
+ * Adding I18n support for Access Denied messages (thanks EppO) - see issue #103
200
+
201
+ * Passing no arguments to +can+ definition will pass action, class, and object to block - see issue #129
202
+
203
+ * Don't pass action to block in +can+ definition when using :+manage+ option - see issue #129
204
+
205
+ * No longer calling block in +can+ definition when checking on class - see issue #116
206
+
207
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.4...1.4.0]
208
+
209
+
210
+ 1.3.4 (August 31, 2010)
211
+
212
+ * Don't stop at +cannot+ with hash conditions when checking class (thanks tamoya) - see issue #131
213
+
214
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.3...1.3.4]
215
+
216
+
217
+ 1.3.3 (August 20, 2010)
218
+
219
+ * Switching to Rspec namespace to remove deprecation warning in Rspec 2 - see issue #119
220
+
221
+ * Pluralize nested associations for conditions in accessible_by (thanks mlooney) - see issue #123
222
+
223
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.2...1.3.3]
224
+
225
+
226
+ 1.3.2 (August 7, 2010)
227
+
228
+ * Fixing slice error when passing in custom resource name - see issue #112
229
+
230
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.1...1.3.2]
231
+
232
+
233
+ 1.3.1 (August 6, 2010)
234
+
235
+ * Fixing protected sanitize_sql error - see issue #111
236
+
237
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.3.0...1.3.1]
238
+
239
+
240
+ 1.3.0 (August 6, 2010)
241
+
242
+ * Adding :find_by option to load_resource - see issue #19
243
+
244
+ * Adding :singleton option to load_resource - see issue #93
245
+
246
+ * Supporting multiple resources in :through option for polymorphic associations - see issue #73
247
+
248
+ * Supporting Single Table Inheritance for "can" comparisons - see issue #55
249
+
250
+ * Adding :instance_name option to load/authorize_resource - see issue #44
251
+
252
+ * Don't pass nil to "new" to keep MongoMapper happy - see issue #63
253
+
254
+ * Parent resources are now authorized with :read action.
255
+
256
+ * Changing :resource option in load/authorize_resource back to :class with ability to pass false
257
+
258
+ * Removing :nested option in favor of :through option with separate load/authorize call
259
+
260
+ * Moving internal logic from ResourceAuthorization to ControllerResource class
261
+
262
+ * Supporting multiple "can" and "cannot" calls with accessible_by (thanks funny-falcon) - see issue #71
263
+
264
+ * Supporting deeply nested aliases - see issue #98
265
+
266
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.2.0...1.3.0]
267
+
268
+
269
+ 1.2.0 (July 16, 2010)
270
+
271
+ * Load nested parent resources on collection actions such as "index" (thanks dohzya)
272
+
273
+ * Adding :name option to load_and_authorize_resource if it does not match controller - see issue #65
274
+
275
+ * Fixing issue when using accessible_by with nil can conditions (thanks jrallison) - see issue #66
276
+
277
+ * Pluralize table name for belongs_to associations in can conditions hash (thanks logandk) - see issue #62
278
+
279
+ * Support has_many association or arrays in can conditions hash
280
+
281
+ * Adding joins clause to accessible_by when conditions are across associations
282
+
283
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.1.1...1.2.0]
284
+
285
+
286
+ 1.1.1 (April 17, 2010)
287
+
288
+ * Fixing behavior in Rails 3 by properly initializing ResourceAuthorization
289
+
290
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.1...1.1.1]
291
+
292
+
293
+ 1.1.0 (April 17, 2010)
294
+
295
+ * Supporting arrays, ranges, and nested hashes in ability conditions
296
+
297
+ * Removing "unauthorized!" method in favor of "authorize!" in controllers
298
+
299
+ * Adding action, subject and default_message abilities to AccessDenied exception - see issue #40
300
+
301
+ * Adding caching to current_ability controller method, if you're overriding this be sure to add caching too.
302
+
303
+ * Adding "accessible_by" method to Active Record for fetching records matching a specific ability
304
+
305
+ * Adding conditions behavior to Ability#can and fetch with Ability#conditions - see issue #53
306
+
307
+ * Renaming :class option to :resource for load_and_authorize_resource which now supports a symbol for non models - see issue #45
308
+
309
+ * Properly handle Admin::AbilitiesController in params[:controller] - see issue #46
310
+
311
+ * Adding be_able_to RSpec matcher (thanks dchelimsky), requires Ruby 1.8.7 or higher - see issue #54
312
+
313
+ * Support additional arguments to can? which get passed to the block - see issue #48
314
+
315
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.0.2...1.1]
316
+
317
+
318
+ 1.0.2 (Dec 30, 2009)
319
+
320
+ * Adding clear_aliased_actions to Ability which removes previously defined actions including defaults - see issue #20
321
+
322
+ * Append aliased actions (don't overwrite them) - see issue #20
323
+
324
+ * Adding custom message argument to unauthorized! method (thanks tjwallace) - see issue #18
325
+
326
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.0.1...1.0.2]
327
+
328
+
329
+ 1.0.1 (Dec 14, 2009)
330
+
331
+ * Adding :class option to load_resource so one can customize which class to use for the model - see issue #17
332
+
333
+ * Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14
334
+
335
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/1.0.0...1.0.1]
336
+
337
+
338
+ 1.0.0 (Dec 13, 2009)
339
+
340
+ * Don't set resource instance variable if it has been set already - see issue #13
341
+
342
+ * Allowing :nested option to accept an array for deep nesting
343
+
344
+ * Adding :nested option to load resource method - see issue #10
345
+
346
+ * Pass :only and :except options to before filters for load/authorize resource methods.
347
+
348
+ * Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
349
+
350
+ * BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
351
+
352
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/0.2.1...1.0.0]
353
+
354
+
355
+ 0.2.1 (Nov 26, 2009)
356
+
357
+ * many internal refactorings - see issues #11 and #12
358
+
359
+ * adding "cannot" method to define which abilities cannot be done - see issue #7
360
+
361
+ * support custom objects (usually symbols) in can definition - see issue #8
362
+
363
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/0.2.0...0.2.1]
364
+
365
+
366
+ 0.2.0 (Nov 17, 2009)
367
+
368
+ * fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3
369
+
370
+ * support arrays being passed to "can" to specify multiple actions or classes - see issue #2
371
+
372
+ * adding "cannot?" method to ability, controller, and view which is inverse of "can?" - see issue #1
373
+
374
+ * BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - see issue #4
375
+
376
+ * {see the full list of changes}[https://github.com/ryanb/cancan/compare/0.1.0...0.2.0]
377
+
378
+
379
+ 0.1.0 (Nov 16, 2009)
380
+
381
+ * initial release
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source "http://rubygems.org"
2
+
3
+ gemspec
data/LICENSE ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Ryan Bates
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,108 @@
1
+ = CanCan {<img src="https://secure.travis-ci.org/ryanb/cancan.png" />}[http://travis-ci.org/ryanb/cancan]
2
+
3
+ This is the branch for CanCan 2.0 which is in very early development. For a stable release please check out the {master branch}[https://github.com/ryanb/cancan]
4
+
5
+ Here are some instructions for setting up CanCan 2.0. Try this out and provide feedback in the {issue tracker}[https://github.com/ryanb/cancan/issues].
6
+
7
+
8
+ == Setup
9
+
10
+ CanCan expects your controllers to have a +current_user+ method. Add some authentication for this (such as Devise[https://github.com/plataformatec/devise], Authlogic[https://github.com/binarylogic/authlogic] or {nifty:authentication}[https://github.com/ryanb/nifty-generators]). See {Changing Defaults}[https://github.com/ryanb/cancan/wiki/Changing-Defaults] to customize this behavior.
11
+
12
+ To install CanCan, add it to your Gemfile and run the `bundle` command.
13
+
14
+ gem "cancan", :git => "git://github.com/ryanb/cancan.git", :branch => "2.0"
15
+
16
+ Next generate an Ability class, this is where your permissions will be defined.
17
+
18
+ rails g cancan:ability
19
+
20
+ Add authorization by calling {enable_authorization}[https://github.com/ryanb/cancan/wiki/enable_authorization] in your ApplicationController.
21
+
22
+ class ApplicationController < ActionController::Base
23
+ enable_authorization
24
+ end
25
+
26
+ This will add an authorization check locking down every controller action. If you try visiting a page, a <tt>CanCan::Unauthorized</tt> exception will be raised since you have not granted the user ability to access it.
27
+
28
+
29
+ == Defining Abilities
30
+
31
+ You grant access to controller actions through the +Ability+ class which was generated above. The +current_user+ is passed in allowing you to define permissions based on user attributes. For example:
32
+
33
+ if user
34
+ can :access, :all
35
+ else
36
+ can :access, :home
37
+ can :create, [:users, :sessions]
38
+ end
39
+
40
+ Here if there is a user he will be able to perform any action on any controller. If someone is not logged in he can only access the home, users, and sessions controllers.
41
+
42
+ The first argument to +can+ is the action the user can perform. The second argument is the controller name they can perform that action on. You can pass <tt>:access</tt> and <tt>:all</tt> to represent any action and controller respectively.
43
+
44
+ As shown above, pass an array to either of these will grant permission on each item in the array. It isn't necessary to pass the +new+ action here because CanCan includes some default aliases. See the {Aliases}[https://github.com/ryanb/cancan/wiki/Aliases] page for details.
45
+
46
+ You can check permissions in any controller or view using the <tt>can?</tt> method.
47
+
48
+ <% if can? :create, :comments %>
49
+ <%= link_to "New Comment", new_comment_path %>
50
+ <% end %>
51
+
52
+ Here the link will only show up the user can create comments.
53
+
54
+
55
+ == Resource Conditions
56
+
57
+ What if you need to change authorization based on a model's attributes? You can do so by passing a hash of conditions as the last argument to +can+. For example, if you want to only allow one to access projects which he owns you can set the <tt>:user_id</tt>.
58
+
59
+ can :access, :projects, :user_id => user.id
60
+
61
+ A block can also be used for complex condition checks just like in CanCan 1, but here it is not necessary.
62
+
63
+ If you try visiting any of the project pages at this point you will see a <tt>CanCan::InsufficientAuthorizationCheck</tt> exception is raised. This is because the default authorization has no way to check permissions on the <tt>@project</tt> instance. You can check permissions on an object manually using the <tt>authorize!</tt> method.
64
+
65
+ def edit
66
+ @project = Project.find(params[:id])
67
+ authorize! :edit, @project
68
+ end
69
+
70
+ However this can get tedious. Instead CanCan provides a +load_and_authorize_resource+ method to load the <tt>@project</tt> instance in every controller action and authorize it.
71
+
72
+ class ProjectsController < ApplicationController
73
+ load_and_authorize_resource
74
+ def edit
75
+ # @project already loaded here and authorized
76
+ end
77
+ end
78
+
79
+ The +index+ (and other collection actions) will load the <tt>@projects</tt> instance which automatically limits the projects the user is allowed to access. This is a scope so you can make further calls to +where+ to limit what is returned from the database.
80
+
81
+ def index
82
+ @projects = @projects.where(:hidden => false)
83
+ end
84
+
85
+ You can check permissions on instances using the <tt>can?</tt> method.
86
+
87
+ <%= link_to "Edit Project", edit_project_path if can? :update, @project %>
88
+
89
+ Here it will only show the edit link if the +user_id+ matches.
90
+
91
+
92
+ == Resource Attributes
93
+
94
+ In CanCan 2.0 it is possible to define permissions on specific resource attributes. For example, if you want to allow a user to only update the name and priority of a project, pass that as the third argument to +can+.
95
+
96
+ can :update, :projects, [:name, :priority]
97
+
98
+ If you use this in combination with +load_and_authorize_resource+ it will ensure that only those two attributes exist in <tt>params[:project]</tt> when updating the project. If you do this everywhere it will not be necessary to use +attr_accessible+ in your models.
99
+
100
+ You can combine this with a hash of conditions. For example, here the user can update all attributes except the price when the product is discontinued.
101
+
102
+ can :update, :products
103
+ cannot :update, :products, :price, :discontinued => true
104
+
105
+ You can check permissions on specific attributes to determine what to show in the form.
106
+
107
+ <%= f.text_field :name if can? :update, @project, :name %>
108
+