Module: LoadAndAuthorizeResource::ClassMethods
- Defined in:
- lib/load_and_authorize_resource.rb
Instance Method Summary collapse
-
#authorize_parent(*names) ⇒ Object
Macro sets a before filter to authorize the parent resource.
-
#authorize_resource(options = {}) ⇒ Object
Checks authorization on the already-loaded resource.
-
#load_and_authorize_parent(*names) ⇒ Object
A convenience method for calling both ‘load_parent` and `authorize_parent`.
-
#load_and_authorize_resource(options = {}) ⇒ Object
A convenience method for calling both ‘load_resource` and `authorize_resource`.
-
#load_parent(*names) ⇒ Object
Macro sets a before filter to load the parent resource.
-
#load_resource(options = {}) ⇒ Object
Load the resource and set to an instance variable.
-
#resource_accessor_name ⇒ Object
Returns the name of the resource, in plural form, e.g.
-
#resource_name ⇒ Object
Returns the name of the resource, in singular form, e.g.
Instance Method Details
#authorize_parent(*names) ⇒ Object
Macro sets a before filter to authorize the parent resource. Assumes ther resource is already set (in a before filter).
class NotesController < ApplicationController
:group
end
If ‘@group` is not found, or calling `current_user.can_read?(@group)` fails, an exception will be raised.
If the parent resource is optional, and you only want to check authorization if it is set, you can set the ‘:shallow` option to `true`:
class NotesController < ApplicationController
:group, shallow: true
end
144 145 146 147 148 149 |
# File 'lib/load_and_authorize_resource.rb', line 144 def (*names) = names..dup required = !(.delete(:shallow) || .delete(:optional)) (:auth, names, required) before_filter :authorize_parent, end |
#authorize_resource(options = {}) ⇒ Object
Checks authorization on the already-loaded resource.
This method calls ‘current_user.can_<action>?(@resource)` and raises an exception if the answer is ’no’.
192 193 194 195 196 197 198 |
# File 'lib/load_and_authorize_resource.rb', line 192 def (={}) = .dup unless [:only] or [:except] .reverse_merge!(only: [:show, :new, :create, :edit, :update, :destroy]) end before_filter :authorize_resource, end |
#load_and_authorize_parent(*names) ⇒ Object
A convenience method for calling both ‘load_parent` and `authorize_parent`
152 153 154 155 |
# File 'lib/load_and_authorize_resource.rb', line 152 def (*names) load_parent(*names) (*names) end |
#load_and_authorize_resource(options = {}) ⇒ Object
A convenience method for calling both ‘load_resource` and `authorize_resource`
201 202 203 204 |
# File 'lib/load_and_authorize_resource.rb', line 201 def (={}) load_resource() () end |
#load_parent(*names) ⇒ Object
Macro sets a before filter to load the parent resource. Pass in one symbol for each potential parent you’re nested under.
For example, if you have routes:
resources :people do
resources :notes
end
resources :groups do
resources :notes
end
…you can call load_parent like so in your controller:
class NotesController < ApplicationController
load_parent :person, :group
end
This will attempt to do the following for each resource, in order:
-
look for ‘params`
-
if present, call ‘Person.find(params)`
-
set @person
If we’ve exhausted our list of potential parent resources without seeing the needed parameter (:person_id or :group_id), then a LoadAndAuthorizeResource::ParameterMissing error is raised.
Note: load_parent assumes you’ve only nested your route a single layer deep, e.g. /parents/1/children/2 You’re on your own if you want to load multiple nested parents, e.g. /grandfathers/1/parents/2/children/3
If you wish to also allow shallow routes (no parent), you can set the ‘:shallow` option to `true`:
class NotesController < ApplicationController
load_parent :person, :group, shallow: true
end
The ‘:shallow` option is aliased to `:optional` in cases where it sense to think about parent resources that way. Further, you can call the macro more than once should you want to make some optional and some not:
class NotesController < ApplicationController
load_parent :person, group, optional: true
load_parent :book
end
Additionally, a private method is defined with the same name as the resource. The method looks basically like this (if you were to write it yourself):
class NotesController < ApplicationController
private
def notes
if @person
@person.notes.scoped
elsif not required(:person)
Note.scoped
end
end
end
You can change the name of this accessor if it is not the same as the resource this controller represents:
class NotesController < ApplicationController
load_parent :group, children: :people
end
This will create a private method called “people” that either returns ‘@group.people.scoped` or Person.scoped (only if @group is optional).
115 116 117 118 119 120 121 |
# File 'lib/load_and_authorize_resource.rb', line 115 def load_parent(*names) = names..dup required = !(.delete(:shallow) || .delete(:optional)) (:load, names, required) define_scope_method(names, .delete(:children)) before_filter :load_parent, end |
#load_resource(options = {}) ⇒ Object
Load the resource and set to an instance variable.
For example:
class NotesController < ApplicationController
load_resource
end
…automatically finds the note for actions ‘show`, `edit`, `update`, and `destroy`.
For the ‘new` action, simply instantiates a new resource. For `create`, instantiates and sets attributes to `<resource>_params`.
176 177 178 179 180 181 182 183 |
# File 'lib/load_and_authorize_resource.rb', line 176 def load_resource(={}) = .dup unless [:only] or [:except] .reverse_merge!(only: [:show, :new, :create, :edit, :update, :destroy]) end define_scope_method([], .delete(:children)) before_filter :load_resource, end |
#resource_accessor_name ⇒ Object
Returns the name of the resource, in plural form, e.g. “notes”
By default, this is simply the ‘controller_name`.
218 219 220 |
# File 'lib/load_and_authorize_resource.rb', line 218 def resource_accessor_name controller_name end |
#resource_name ⇒ Object
Returns the name of the resource, in singular form, e.g. “note”
By default, this is simply ‘controller_name.singularize`.
210 211 212 |
# File 'lib/load_and_authorize_resource.rb', line 210 def resource_name controller_name.singularize end |