Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rails 4.2 + RSpec 3.2 - Railscasst #386-authorization-from-scratch-part-2
# app/controllers/application_controller.rb
# What's changed since Railscast 386?
# Renamed some methods
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
include SessionsHelper
before_filter :check_authorization
delegate :allow_action?, to: :current_permission
helper_method :allow_action?
delegate :allow_param?, to: :current_permission
helper_method :allow_param?
private
def current_permission
@current_permission ||= Permissions.permission_for(current_user)
end
def current_resource
nil
end
def check_authorization
if current_permission.allow_action?(params[:controller], params[:action], current_resource)
current_permission.permit_params! params
else
redirect_to root_url, alert: "Not authorized."
end
end
end
# app/models/permissions/base_permission.rb
# What's changed since Railscast 386?
# Renamed some methods
module Permissions
class BasePermission
def allow_action?(controller, action, resource = nil)
allowed = @allow_all || @allowed_actions[[controller.to_s, action.to_s]]
allowed && (allowed == true || resource && allowed.call(resource))
end
def allow_all
@allow_all = true
end
def allow_action(controllers, actions, &block)
@allowed_actions ||= {}
Array(controllers).each do |controller|
Array(actions).each do |action|
@allowed_actions[[controller.to_s, action.to_s]] = block || true
end
end
end
def allow_param(resources, attributes)
@allowed_params ||= {}
Array(resources).each do |resource|
@allowed_params[resource] ||= []
@allowed_params[resource] += Array(attributes)
end
end
def allow_param?(resource, attribute)
if @allow_all
true
elsif @allowed_params && @allowed_params[resource]
@allowed_params[resource].include? attribute
end
end
def permit_params!(params)
if @allow_all
params.permit!
elsif @allowed_params
@allowed_params.each do |resource, attributes|
if params[resource].respond_to? :permit
params[resource] = params[resource].permit(*attributes)
end
end
end
end
end
end
# spec/support/custom_matchers.rb
# What's changed since Railscast 386?
# Using RSpec's 'new' expect syntax
# Renamed allow to allow_action
RSpec::Matchers.define :allow_action do |*args|
match do |permission|
expect(permission.allow_action?(*args)).to eq(true)
end
end
RSpec::Matchers.define :allow_param do |*args|
match do |permission|
expect(permission.allow_param?(*args)).to eq(true)
end
end
# spec/permissions/super_admin_permissions_spec.rb
# What's changed since Railscast 386?
# Using RSpec's 'new' expect syntax
# Renamed allow to allow_action
# The before block is specific to my implementation, you may not need it!
require "rails_helper"
RSpec.describe Permissions::SuperAdminPermission do
let!(:user) { FactoryGirl.create(:user) }
subject { Permissions.permission_for( user ) }
before(:each) do
user.activate
user.set_role!("superadmin")
end
it "allows anything" do
expect(subject).to allow_action(:any, :thing)
expect(subject).to allow_param(:any, :thing)
end
end
@tennantje

This comment has been minimized.

Copy link
Owner Author

@tennantje tennantje commented May 6, 2015

I've created this gist to make Railscast #386 easier in the current environment: Rails 4.2/ RSpec 3.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment