From 530a20248b705fffd5c60f350d823f8a13596b19 Mon Sep 17 00:00:00 2001 From: Sandro Kalbermatter Date: Fri, 1 Dec 2023 16:00:13 +0100 Subject: [PATCH 1/5] In permitted_attributes, switch from database column detection to Rails attributes detection. Fixes #838 --- lib/cancan/ability/strong_parameter_support.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cancan/ability/strong_parameter_support.rb b/lib/cancan/ability/strong_parameter_support.rb index 31da74574..892d250a3 100644 --- a/lib/cancan/ability/strong_parameter_support.rb +++ b/lib/cancan/ability/strong_parameter_support.rb @@ -31,7 +31,7 @@ def get_attributes(rule, subject) klass = subject_class?(subject) ? subject : subject.class # empty attributes is an 'all' if rule.attributes.empty? && klass < ActiveRecord::Base - klass.column_names.map(&:to_sym) - Array(klass.primary_key) + klass.attribute_names.map(&:to_sym) - Array(klass.primary_key) else rule.attributes end From 1195d3916abe2a5500582c261df2dc29e3309dd3 Mon Sep 17 00:00:00 2001 From: Sandro Kalbermatter Date: Sun, 19 May 2024 14:22:33 +0200 Subject: [PATCH 2/5] Temporarly revert "In permitted_attributes, switch from database column detection to Rails attributes detection. Fixes #838" This reverts commit 530a20248b705fffd5c60f350d823f8a13596b19. Reason: Adjust tests to obtain a before and after picture --- lib/cancan/ability/strong_parameter_support.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cancan/ability/strong_parameter_support.rb b/lib/cancan/ability/strong_parameter_support.rb index 892d250a3..31da74574 100644 --- a/lib/cancan/ability/strong_parameter_support.rb +++ b/lib/cancan/ability/strong_parameter_support.rb @@ -31,7 +31,7 @@ def get_attributes(rule, subject) klass = subject_class?(subject) ? subject : subject.class # empty attributes is an 'all' if rule.attributes.empty? && klass < ActiveRecord::Base - klass.attribute_names.map(&:to_sym) - Array(klass.primary_key) + klass.column_names.map(&:to_sym) - Array(klass.primary_key) else rule.attributes end From 1edfe7158ea353fb15a3df4a3f974f419269d7ea Mon Sep 17 00:00:00 2001 From: Sandro Kalbermatter Date: Sun, 19 May 2024 14:24:48 +0200 Subject: [PATCH 3/5] Switch AbilitySpec's User testcase to an actual database model NamedUser in order to include Rails' actual column loading behavior --- spec/cancan/ability_spec.rb | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/spec/cancan/ability_spec.rb b/spec/cancan/ability_spec.rb index 486cbc425..014bb212a 100644 --- a/spec/cancan/ability_spec.rb +++ b/spec/cancan/ability_spec.rb @@ -5,6 +5,20 @@ describe CanCan::Ability do before(:each) do (@ability = double).extend(CanCan::Ability) + + connect_db + ActiveRecord::Migration.verbose = false + ActiveRecord::Schema.define do + create_table(:named_users) do |t| + t.string :first_name + t.string :last_name + end + end + + unless defined?(NamedUser) + class NamedUser < ActiveRecord::Base + end + end end it 'is able to :read anything' do @@ -651,13 +665,10 @@ def active? end it 'returns an array of permitted attributes for a given action and subject' do - user_class = Class.new(ActiveRecord::Base) - allow(user_class).to receive(:column_names).and_return(%w[first_name last_name]) - allow(user_class).to receive(:primary_key).and_return('id') - @ability.can :read, user_class + @ability.can :read, NamedUser @ability.can :read, Array, :special @ability.can :action, :subject, :attribute - expect(@ability.permitted_attributes(:read, user_class)).to eq(%i[first_name last_name]) + expect(@ability.permitted_attributes(:read, NamedUser)).to eq(%i[id first_name last_name]) expect(@ability.permitted_attributes(:read, Array)).to eq([:special]) expect(@ability.permitted_attributes(:action, :subject)).to eq([:attribute]) end From 49367167516af1d3e7204f5ff40ee1e690a1fc90 Mon Sep 17 00:00:00 2001 From: Sandro Kalbermatter Date: Sun, 19 May 2024 14:25:51 +0200 Subject: [PATCH 4/5] Demonstrate that the current implementation misses model attributes created by Rails' "attribute" call --- spec/cancan/ability_spec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/spec/cancan/ability_spec.rb b/spec/cancan/ability_spec.rb index 014bb212a..3951f3b27 100644 --- a/spec/cancan/ability_spec.rb +++ b/spec/cancan/ability_spec.rb @@ -17,6 +17,7 @@ unless defined?(NamedUser) class NamedUser < ActiveRecord::Base + attribute :role, :string # Virtual only end end end @@ -668,7 +669,7 @@ def active? @ability.can :read, NamedUser @ability.can :read, Array, :special @ability.can :action, :subject, :attribute - expect(@ability.permitted_attributes(:read, NamedUser)).to eq(%i[id first_name last_name]) + expect(@ability.permitted_attributes(:read, NamedUser)).to eq(%i[id first_name last_name role]) expect(@ability.permitted_attributes(:read, Array)).to eq([:special]) expect(@ability.permitted_attributes(:action, :subject)).to eq([:attribute]) end From f68d752f735d3af7a201b41fd34a5f96d1678ac6 Mon Sep 17 00:00:00 2001 From: Sandro Kalbermatter Date: Sun, 19 May 2024 14:26:04 +0200 Subject: [PATCH 5/5] Re-enable fix by reverting "Temporarly revert "In permitted_attributes, switch from database column detection to Rails attributes detection. Fixes #838"" This reverts commit 1195d3916abe2a5500582c261df2dc29e3309dd3. --- lib/cancan/ability/strong_parameter_support.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cancan/ability/strong_parameter_support.rb b/lib/cancan/ability/strong_parameter_support.rb index 31da74574..892d250a3 100644 --- a/lib/cancan/ability/strong_parameter_support.rb +++ b/lib/cancan/ability/strong_parameter_support.rb @@ -31,7 +31,7 @@ def get_attributes(rule, subject) klass = subject_class?(subject) ? subject : subject.class # empty attributes is an 'all' if rule.attributes.empty? && klass < ActiveRecord::Base - klass.column_names.map(&:to_sym) - Array(klass.primary_key) + klass.attribute_names.map(&:to_sym) - Array(klass.primary_key) else rule.attributes end