Module: CanCanCan::AbstractResourceController

Extended by:
ActiveSupport::Concern
Defined in:
lib/cancancan/version.rb,
lib/cancancan/configuration.rb,
lib/cancancan_resource_controller.rb,
lib/cancancan/abstract_resource_controller.rb

Defined Under Namespace

Classes: Configuration

Constant Summary collapse

VERSION = 
'1.0.2'
MAX_ASSOCIATIVE_NESTED_DEPTH =

Used to stop infinite recursive on associations (could just be deeply nested structures. Could also be self-referencing).

60
REGEX_FOR_HTML_TAG_DETECTION = 
/.*\<\/?[^_\W]+\>.*/
DEFAULT_PARAMETER_SANITIZER_ALLOWED_TAGS =

probably a better way to do this. If there is, it’s poorly documented.

DEFAULT_PARAMETER_SANITIZER_ALLOWED_TAGS - Add to this env var any values to also allow for HTML tags (i.e.: label,span,text_area) DEFAULT_PARAMETER_SANITIZER_ALLOWED_ATTRIBS - Add to this env var any values to also allow for HTML attribs (i.e.: ng-show,ng-hide,data-id)

(
    %w[
    p
    div
    span
    body
    b
    strong
    br
    center
    font
    label
    pre
    tr
    td
    table
    text_area
    ul
    li
    footer
    em
    ol
    i
    select
    option
  ] + (ENV['DEFAULT_PARAMETER_SANITIZER_ALLOWED_TAGS']&.split(',')&.collect(&:strip) || [])
).freeze
DEFAULT_PARAMETER_SANITIZER_ALLOWED_ATTRIBS =

Only allow attribs that are allowed in HTML friendly text blocks

  • i.e. NO HREFs!

(
    %w[
    style
    id
    class
    type
    value
  ] + (ENV['DEFAULT_PARAMETER_SANITIZER_ALLOWED_ATTRIBS']&.split(',')&.collect(&:strip) || [])
).freeze

Class Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Class Attribute Details

.configurationObject

Returns the value of attribute configuration.



12
13
14
 
# File 'lib/cancancan_resource_controller.rb', line 12

def configuration
  @configuration
end

Class Method Details

.configure {|configuration| ... } ⇒ Object

Yields:



23
24
25
 
# File 'lib/cancancan_resource_controller.rb', line 23

def self.configure
  yield(configuration)
end

.resetObject 



19
20
21
 
# File 'lib/cancancan_resource_controller.rb', line 19

def self.reset
  @configuration = Configuration.new
end

Instance Method Details

#createObject 



128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 128

def create
  authorize! :create, @resource_class
  @resource ||= @resource_class.new

  service = CanCanCan::AssignmentAndAuthorization.new(
    current_ability,
    action_name,
    @resource,
    clean_parameter_data(params)
  )

  if service.call
    respond_with_resource
  else
    begin
      Rails.logger.warn "Failed object validations: could not create #{@resource_class}, id: #{@resource.id}: #{@resource.errors.full_messages}"
      respond_with_resource_invalid
    rescue Exception => e
      Rails.logger.error "CanCanCanResourceController - Caught Internal Server Error: " + e.class.to_s + ': ' + e.message
      Rails.logger.error Rails.backtrace_cleaner.clean(e.backtrace).join("\n").to_s
      respond_with_resource_error
    end
  end
end

#destroyObject 



177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 177

def destroy
  authorize! :destroy, @resource_class
  @resource ||= @resource_class.find(params[:id])
  authorize! :destroy, @resource
  # retuning the resource in a pre-destroyed state as a destroy response
  if @resource.destroy
    respond_after_destroy
  else
    begin
      Rails.logger.warn "Failed object validations: could not destroy #{@resource_class}, id: #{@resource.id}: #{@resource.errors.full_messages}"
      respond_with_resource_invalid
    rescue Exception => e
      Rails.logger.error "CanCanCanResourceController - Caught Internal Server Error: " + e.class.to_s + ': ' + e.message
      Rails.logger.error Rails.backtrace_cleaner.clean(e.backtrace).join("\n").to_s
      respond_with_resource_error
    end
  end
end

#editObject 



120
121
122
123
124
125
126
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 120

def edit
  authorize! :update, @resource_class
  @resource ||= @resource_class.find(params[:id])
  authorize! :update, @resource

  respond_with_resource
end

#indexObject 



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 68

def index
  authorize! :index, @resource_class
  @resources ||= @resource_class

  begin
    @resources = @resources.accessible_by(current_ability)
  rescue CanCan::Error => e
    # The accessible_by call cannot be used with a block 'can' definition
    # Need to switch over to SQL permissions, not using the blocks
    Rails.logger.error "Error: resource class, #{@resource_class.name}, is using CanCan block definitions, not SQL permissions. Unable to run index permission filter"
    raise e
  end

  @resources = index_resource_query(@resources)

  respond_with_resources
end

#newObject 



95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 95

def new
  authorize! :create, @resource_class
  @resource ||= @resource_class.new

  service = CanCanCan::AssignmentAndAuthorization.new(
    current_ability,
    action_name,
    @resource,
    clean_parameter_data(params)
  )

  if service.call
    respond_with_resource
  else
    begin
      Rails.logger.warn "Failed object validations: could not new #{@resource_class}: #{@resource.errors.full_messages}"
      respond_with_resource_invalid
    rescue Exception => e
      Rails.logger.error "CanCanCanResourceController - Caught Internal Server Error: " + e.class.to_s + ': ' + e.message
      Rails.logger.error Rails.backtrace_cleaner.clean(e.backtrace).join("\n").to_s
      respond_with_resource_error
    end
  end
end

#showObject 



86
87
88
89
90
91
92
93
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 86

def show
  authorize! :show, @resource_class
  # Allow @resource to be set from subclass controller
  @resource ||= @resource_class.find(params[:id])
  authorize! :show, @resource

  respond_with_resource
end

#updateObject 



153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
# File 'lib/cancancan/abstract_resource_controller.rb', line 153

def update
  authorize! :update, @resource_class
  @resource ||= @resource_class.find(params[:id])
  service = CanCanCan::AssignmentAndAuthorization.new(
    current_ability,
    action_name,
    @resource,
    clean_parameter_data(params)
  )

  if service.call
    respond_with_resource
  else
    begin
      Rails.logger.warn "Failed object validations: could not update #{@resource_class}, id: #{@resource.id}: #{@resource.errors.full_messages}"
      respond_with_resource_error
    rescue Exception => e
      Rails.logger.error "CanCanCanResourceController - Caught Internal Server Error: " + e.class.to_s + ': ' + e.message
      Rails.logger.error Rails.backtrace_cleaner.clean(e.backtrace).join("\n").to_s
      respond_with_resource_error
    end
  end
end