-
-
Notifications
You must be signed in to change notification settings - Fork 638
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve ability checks with nested resources (hash checks) #767
Conversation
I am looking at the gist. In particular at this part: class AbilityCanID
include CanCan::Ability
def initialize(user)
can :read, Book, user_id: [0, user.id]
end
end what I understand from here is "the user can read books with user_id user1 = User.create!
user2 = User.create!
Book.create([{user: user1}, {user: user2}])
ability = AbilityCanID.new(user1)
assert_equal true, ability.can?(:read, {user1 => Book})
assert_equal false, ability.can?(:read, {user2 => Book}) I am not entirely sure what you are checking with these assertions. Shouldn't you rather check:
? |
I also looked into
The permissions are: can :read, Company
can :manage, Company, id: user.company_ids
can :read, Project1
can :manage, Project1, company_id: user.company_ids
If you want to have this action accessible only if you can manage a company, then you should check this manually in the action with |
On the page |
Concerning your first comment, the reason I check For the second point:
The check done will actually be However, if the rule is defined with It's even more flagrant when the rule is defined with cannot (Project 4 VS 6), because then the rule Concerning your last comment, indeed, there is a problem with the sentence I display at the top of the page for the index. You're right, we have read access to everything, I had the custom actions in mind when writing this. Everything always works in index, as it's a The other rules about read, or about companies, are not really relevant here. The best explanations about what we should be able to/not be able to access are on the root page. Thanks for considering the PR, and don't hesitate to ask me if it's still not clear |
Co-authored-by: Juleffel <[email protected]>
Co-authored-by: Juleffel <[email protected]>
Thanks, done :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose to improve the current solution by considering also cases where the foreign key is not following a standard ParentName_id
.
We can use:
_child.reflect_on_all_associations(:belongs_to).find { |association| association.klass == parent.class }.foreign_key
to identify the correct name for the foreign key. What do you think?
Nice thought indeed :) |
I added this in a separate branch |
When we use rails nested resources, cancancan does ability checks with
can? :action, { parent => Class }
. In this case, depending on how abilities are defined, we can have bugs and unexpected behaviours. I believe these are important issues that should be solved quickly.I created an example application listing the problems arising depending on different ability configurations. You just need to clone it, seed it, and launch it. The explanations are on the home page.
I also created a gist to show up the exact examples of can? that are failing.
I also believe issue #661 is related to this.