Skip to content

Set no_attribute_check on additional_collection with strong_parameters #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Set no_attribute_check on additional_collection with strong_parameters #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d72bfce
Set no_attribute_check on additional_collection with strong_parameters
Jan 7, 2021
2c0e47b
try ruby 2.7.2
Feb 2, 2021
ff6e0e0
use ruby 2.6.6 and rails 5.2.6
Nov 16, 2021
674d082
Create ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile
Feb 28, 2022
72f3869
Merge remote-tracking branch 'upstream/HEAD'
Dec 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions gemfiles/ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# This file was generated by Appraisal

source "http://rubygems.org"

gem "appraisal", "~> 2.1"
gem "mocha", "~> 1.0", require: false
gem "sprockets", "< 4"
gem "rails-controller-testing"
gem "rails", "5.2.6"
gem "grape", "1.3.0"
gem "sqlite3", "~> 1.3.0"

gemspec path: "../"
13 changes: 13 additions & 0 deletions gemfiles/ruby_2.7.2_rails6.0.2.1_grape1.3.0.gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# This file was generated by Appraisal

source "http://rubygems.org"

gem "appraisal", "~> 2.1"
gem "mocha", "~> 1.0", require: false
gem "sprockets", "< 4"
gem "rails-controller-testing"
gem "rails", "6.0.2.1"
gem "grape", "1.3.0"
gem "sqlite3", "~> 1.4"

gemspec path: "../"
2 changes: 1 addition & 1 deletion lib/declarative_authorization/controller/rails.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ def filter_resource_access(options = {})
collections = actions_from_option(options[:collection]).merge(
actions_from_option(options[:additional_collection]))

no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections
no_attribute_check_actions = options[:strong_parameters] ? collections.merge(actions_from_option([:create])) : collections

options[:no_attribute_check] ||= no_attribute_check_actions.keys unless options[:nested_in]

Expand Down
84 changes: 84 additions & 0 deletions test/controller_filter_resource_access_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,90 @@ def test_additional_members_filter_other_new
end
end

class AdditionalMembersCollectionsStrongParamsController < MocksController
def self.controller_name
"basic_resources"
end
filter_resource_access :additional_member => :other_show,
:additional_collection => [:search], :additional_new => {:other_new => :new}, :strong_parameters => true
define_resource_actions
define_action_methods :other_new, :search, :other_show
end
class AdditionalMembersCollectionsStrongParamsControllerTest < ActionController::TestCase
def test_additional_members_filter_search_index
reader = Authorization::Reader::DSLReader.new
reader.parse %{
authorization do
role :allowed_role do
has_permission_on :basic_resources, :to => [:search, :index] do
if_attribute :id => is {"1"}
end
end
end
}

request!(MockUser.new(:another_role), :search, reader)
assert [email protected]?
request!(MockUser.new(:another_role), :index, reader)
assert [email protected]?
request!(MockUser.new(:allowed_role), :search, reader)
assert @controller.authorized?
request!(MockUser.new(:allowed_role), :index, reader)
assert @controller.authorized?
end

def test_additional_members_filter_other_show
reader = Authorization::Reader::DSLReader.new
reader.parse %{
authorization do
role :allowed_role do
has_permission_on :basic_resources, :to => [:show, :other_show] do
if_attribute :id => is {"1"}
end
end
end
}

allowed_user = MockUser.new(:allowed_role)
request!(allowed_user, :other_show, reader, :id => "2")
assert [email protected]?
request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
assert [email protected]?
request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
assert @controller.authorized?
request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
assert @controller.authorized?
end

def test_additional_members_filter_other_new
reader = Authorization::Reader::DSLReader.new
reader.parse %{
authorization do
role :allowed_role do
has_permission_on :basic_resources, :to => :new do
if_attribute :id => is {"1"}
end
end
end
}

allowed_user = MockUser.new(:allowed_role)
request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
assert [email protected]?
request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
:clear => [:@basic_resource])
assert [email protected]?

# strong_parameters (as mocked) never set parameters on new object, so attribute condition is never met
request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
:clear => [:@basic_resource])
assert [email protected]?
request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
clear: [:@basic_resource])
assert [email protected]?
end
end


class CustomMethodsResourceController < MocksController
# not implemented yet
Expand Down