raygun 0.0.15 → 0.0.16

data/CHANGES.md

@@ -1,5 +1,9 @@
 # Change Log
 
+## 0.0.16 [2013-01-04]
+
+* Improved authorization rules so that users can't delete themselves and non-admin can't access users controller :new.
+
 ## 0.0.15 [2012-12-26]
 
 * Handle cases where raygun is given a name with dashes (e.g wonder-pets).

data/app_prototype/app/controllers/registrations_controller.rb

@@ -17,7 +17,7 @@ class RegistrationsController < ApplicationController
   end
 
   def activate
-    if @user = User.load_from_activation_token(params[:token])
+    if (@user = User.load_from_activation_token(params[:token]))
       @user.activate!
       auto_login @user
       redirect_to sign_in_path, notice: "Your account has been activated and you're now signed in. Enjoy!"

data/app_prototype/app/models/ability.rb

@@ -5,11 +5,15 @@ class Ability
     user ||= User.new # guest user (not logged in)
 
     if user.admin?
-      can :manage, User
+      can :manage, :all
     else
-      can :manage, User, id: user.id
+      can [:read, :update], User, id: user.id
     end
 
+    # No one can destroy themselves.
+    cannot :destroy, User, id: user.id
+
+
     # Define abilities for the passed in user here. For example:
     #
     #   user ||= User.new # guest user (not logged in)

data/app_prototype/spec/controllers/users_controller_spec.rb

@@ -60,7 +60,7 @@ describe UsersController do
       end
 
       it "assigns a newly created user as @user" do
-        post :create, {user: valid_attributes }, valid_session
+        post :create, { user: valid_attributes }, valid_session
         expect(assigns(:user)).to be_a(User)
         expect(assigns(:user)).to be_persisted
       end

data/app_prototype/spec/models/ability_spec.rb

@@ -2,33 +2,35 @@ require 'spec_helper'
 require 'cancan/matchers'
 
 describe "User" do
+  subject { ability }
+  let(:ability) { Ability.new(user) }
+  let(:other) { build(:user) { |u| u.id = 2 } }
+
   context "when working with User" do
     context "as a non-admin" do
       let(:user) { build(:user) { |u| u.id = 1 } }
-      subject { Ability.new(user) }
 
       context "operating on themselves" do
-        it { should be_able_to(:manage, user) }
+        it { should     be_able_to(:read, user) }
+        it { should     be_able_to(:update, user) }
+        it { should_not be_able_to(:destroy, user) }
       end
 
       context "operating on someone else" do
-        let(:other) { build(:user) { |u| u.id = 2 } }
-
         it { should_not be_able_to(:manage, other) }
+        it { should_not be_able_to(:create, User) }
       end
     end
 
     context "as an admin" do
       let(:user) { build(:admin) { |u| u.id = 1 } }
-      subject { Ability.new(user) }
 
       context "operating on themselves" do
-        it { should be_able_to(:manage, user) }
+        it { should     be_able_to(:manage, user) }
+        it { should_not be_able_to(:destroy, user) }
       end
 
       context "operating on someone else" do
-        let(:other) { build(:user) { |u| u.id = 2 } }
-
         it { should be_able_to(:manage, other) }
       end
     end

data/lib/raygun/version.rb

@@ -1,3 +1,3 @@
 module Raygun
-  VERSION = "0.0.15"
+  VERSION = "0.0.16"
 end

data/raygun.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |gem|
   gem.homepage      = "https://github.com/carbonfive/raygun"
 
   gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: raygun
 version: !ruby/object:Gem::Version
-  version: 0.0.15
+  version: 0.0.16
   prerelease: 
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-27 00:00:00.000000000 Z
+date: 2013-01-04 00:00:00.000000000 Z
 dependencies: []
 description: Carbon Five Rails application generator
 email: