Revision 5f65c486
Added by Dominic Cleal about 10 years ago
app/controllers/api/base_controller.rb | ||
---|---|---|
resource_identifying_attributes.each do |key|
|
||
find_method = "find_by_#{key}"
|
||
model = md[1].classify.constantize
|
||
controller = "#{md[1].pluralize}_#{controller_name}"
|
||
controller = md[1].pluralize
|
||
authorized_scope = model.authorized("#{action_permission}_#{controller}")
|
||
@nested_obj ||= authorized_scope.send(find_method, params[param])
|
||
end
|
app/controllers/api/v1/common_parameters_controller.rb | ||
---|---|---|
|
||
def index
|
||
@common_parameters = CommonParameter.
|
||
authorized(:view_globals).
|
||
authorized(:view_globals, CommonParameter).
|
||
search_for(*search_options).
|
||
paginate(paginate_options)
|
||
end
|
app/controllers/api/v2/common_parameters_controller.rb | ||
---|---|---|
|
||
def index
|
||
@common_parameters = CommonParameter.
|
||
authorized(:view_globals).
|
||
authorized(:view_globals, CommonParameter).
|
||
search_for(*search_options).
|
||
paginate(paginate_options)
|
||
end
|
test/functional/api/base_controller_subclass_test.rb | ||
---|---|---|
assert_response :success
|
||
end
|
||
end
|
||
|
||
context 'nested objects' do
|
||
it "should use auth scope of nested object" do
|
||
ctrl = Api::TestableController.new
|
||
ctrl.expects(:params).at_least_once.returns(HashWithIndifferentAccess.new(:domain_id => 1, :action => 'index'))
|
||
ctrl.expects(:allowed_nested_id).at_least_once.returns(['domain_id'])
|
||
ctrl.expects(:resource_identifying_attributes).at_least_once.returns(['id'])
|
||
scope = mock('scope')
|
||
obj = mock('domain')
|
||
scope.expects(:find_by_id).with(1).returns(obj)
|
||
Domain.expects(:authorized).with('view_domains').returns(scope)
|
||
assert_equal obj, ctrl.send(:find_required_nested_object)
|
||
end
|
||
end
|
||
end
|
Also available in: Unified diff
fixes #5612 - use correct permissions for authz in parameters API
(cherry picked from commit 7cb05aa94e942bd3917c6cde33957288ea84a735)