You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We defined 2 Models Contract and Customer. We implemented 2 URLs to show contracts:
/contracts
/customers/:customer_id/contracts
In both cases we used load_and_authorize_resource method to prevent unauthorised access. Everything works fine until we added new cannot rule:
cannot :index, Contract, foo: :bar
Expected behavior
we still can open (index) both URLs, but in the result output are missing contracts, which have value :bar in field :foo
Actual behavior
we still can open /contracts
but we can't open /customers/:customer_id/contracts anymore
Further investigation showed the difference in underling can? call. In one case it was: can?(:index, Contract(as class)) in other case it was can?(:index, { customer_instance_for_customer_id => Contract(as class) })
In first case underling check seems to respect presence of conditions in the cannot rule. At least I found following comment in the cancancan-3.5.0/lib/cancan/conditions_matcher.rb:35 file: # Don't stop at "cannot" definitions when there are conditions.
In second case our cannot rule is selected as final rule and the result of can? method ist false, which cause load_and_authorize_resource to fail
System configuration
7.1.3.2:
3.2.3:
3.5.0
The text was updated successfully, but these errors were encountered:
Steps to reproduce
We defined 2 Models Contract and Customer. We implemented 2 URLs to show contracts:
In both cases we used
load_and_authorize_resourcemethod to prevent unauthorised access. Everything works fine until we added newcannotrule:cannot :index, Contract, foo: :bar
Expected behavior
we still can open (index) both URLs, but in the result output are missing contracts, which have value :bar in field :foo
Actual behavior
we still can open /contracts
but we can't open /customers/:customer_id/contracts anymore
Further investigation showed the difference in underling
can?call. In one case it was:can?(:index, Contract(as class))in other case it wascan?(:index, { customer_instance_for_customer_id => Contract(as class) })In first case underling check seems to respect presence of conditions in the cannot rule. At least I found following comment in the
cancancan-3.5.0/lib/cancan/conditions_matcher.rb:35file:# Don't stop at "cannot" definitions when there are conditions.In second case our cannot rule is selected as final rule and the result of
can?method istfalse, which causeload_and_authorize_resourceto failSystem configuration
7.1.3.2:
3.2.3:
3.5.0
The text was updated successfully, but these errors were encountered: