CanCan gotcha for abilities with blocks

[tf]

When using the CanCan adapter, ActiveAdmin normally passes a resource object to determine if a specific action is allowed. There are at least three cases, though, where ActiveAdmin passes the resource class as subject:

• Deciding whether to display the menu item (authorized?(:read, Resource))
• Deciding whether to display the new button and the new link on the blank slate page (authorized?(:create, Resource))
• Deciding whether to display batch delete options (authorized?(:destroy, Resource))

These work great for simple cases:

  # ability.rb
  if user.admin?
    can(:manage, Resource)
  end

When using the CanCan block API they present a potential security risk, though:

  # ability.rb
  can(:manage, Resource) do
    user.admin?
  end

As described in CanCanCommunity/cancancan#200, by design, this results in:

  ability = Ability.new(User.new(admin: false))
  ability.can?(:manage, resource) # => false
  ability.can?(:manage, Resource) # => true (!!)

This causes links to forbidden pages to be displayed in our app.

For complex authorization flows, it is not always possible to stick to the first Ability style. And even if a reformulation is easily possible, this behavior looks like a gotcha that should be mentioned in the docs.

The issue could be circumvented by passing symbols instead of classes (i.e. can(:manage, :accounts)). That would be a breaking change, though, and make the simple case harder.