Custom Permissions Not Working As Expected #594
Comments
Have you tried testing the Ability class in the console? This will tell you if the problem lies there or elsewhere. See this the Debugging Abilities page for details. |
After testing the Ability class in the console, I have confirmed that the class itself is behaving as expected, and that permissions are set up the way they should be, but the view is still acting weird. In the console, I grabbed the first user, who is an approver:
I grab a claim owned by this user:
I create an Ability instance for the user:
Given the following permissions: class Ability
include CanCan::Ability
def initialize(user)
can :read, Category
can :manage, Claim, user_id: user.id
cannot [:approve, :deny], Claim, user_id: user.id
if user.role? :approver
can [:read, :approve, :deny], Claim
end
if user.role? :processor
can :manage, Batch
end
# if user.role? :admin
# can :manage, :all
# end
end
end Here is what this approver can do with his own claim:
If I grab a claim that the approver doesn't own:
The permissions still check out:
Except when I combine actions like this:
So, I can put the individual checks on each button, and that gets me where I need to be: <%= link_to 'Approve this claim', approve_claim_path(@claim), class: "button gradient" if @claim.can_approve? && can?(:approve, @claim) %>
<%= link_to 'Deny this claim', deny_claim_path(@claim), class: "button red gradient" if @claim.can_deny? && can?(:deny, @claim) %> NOTE: I am coupling the display of the buttons with a state machine, so I'm checking to see if the claim is in a state from which it can be approved, and if the user has the ability to approve it. |
I am having trouble getting custom actions to work.
What I expect to happen:
A user should only be able to read, create, update, destroy, and submit their own claims. The "Approve" and "Deny" buttons should only show up if the user is an approver.
What's actually happening:
The "Approve" and "Deny" buttons do display for the user, but they do not display for the approver. This is the opposite of what I'm expecting.
I've read through the documentation and various existing issues. I've tried several things, including spelling out which permissions each user has, explicitly (i.e.,
[:read, :create, :update, :destroy, :submit]
instead of:manage
). It makes the buttons go away for the user, but they still don't show up for an approver. What am I missing?models/ability.rb:
controllers/claims_controller.rb:
views/claims/show.html.erb
The text was updated successfully, but these errors were encountered: