Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not leak all records for guest users in API controllers #2145

Merged
merged 4 commits into from
Jul 10, 2021

Conversation

tvdeyen
Copy link
Member

@tvdeyen tvdeyen commented Jul 1, 2021

What is this pull request for?

CanCanCan does not respect any scope set before accessible_by.
We need to make sure the additional scopes get called afterwards.

Thanks @mamhoff for finding this during working on CanCanCommunity/cancancan#717

Checklist

  • I have followed Pull Request guidelines
  • I have added a detailed description into each commit message
  • I have added tests to cover this change

@tvdeyen tvdeyen force-pushed the do-not-leak-all-pages-in-api branch from a3d7878 to 0b24271 Compare July 1, 2021 10:46
@tvdeyen tvdeyen changed the title Do not leak all pages for guest users in API controller Do not leak all records for guest users in API controllers Jul 1, 2021
@tvdeyen tvdeyen force-pushed the do-not-leak-all-pages-in-api branch from 89388e8 to d3b37a0 Compare July 1, 2021 13:22
tvdeyen added 4 commits July 7, 2021 19:55
CanCanCan does not respect any scope set before `accessible_by`.
We need to make sure the additional scopes get called afterwards.
CanCanCan does not respect any scope set before `accessible_by`.

We need to make sure the additional scopes get called afterwards.
Somehow with the recent fix for cancancan accessible_by the eager loading
of elements contents and essences broke
with "cannot eager load polymorphic association essence".

Since we soft-deprecated essences anyway and this API is mostly used by the
page select in the link overlay we can live with the downside
It was not working since we change some UI and was self-pending since.

Fixed the underlying issues and make it more robust by using capybaras wait
feature.
@tvdeyen tvdeyen force-pushed the do-not-leak-all-pages-in-api branch from d3b37a0 to f8db000 Compare July 7, 2021 19:02
@tvdeyen tvdeyen merged commit bf8a9fb into main Jul 10, 2021
@tvdeyen tvdeyen deleted the do-not-leak-all-pages-in-api branch July 10, 2021 07:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant