You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the CanCan adapter, ActiveAdmin normally passes a resource object to determine if a specific action is allowed. There are at least three cases, though, where ActiveAdmin passes the resource class as subject:
This causes links to forbidden pages to be displayed in our app.
For complex authorization flows, it is not always possible to stick to the first Ability style. And even if a reformulation is easily possible, this behavior looks like a gotcha that should be mentioned in the docs.
The issue could be circumvented by passing symbols instead of classes (i.e. can(:manage, :accounts)). That would be a breaking change, though, and make the simple case harder.
The text was updated successfully, but these errors were encountered:
When using the CanCan adapter, ActiveAdmin normally passes a resource object to determine if a specific action is allowed. There are at least three cases, though, where ActiveAdmin passes the resource class as subject:
authorized?(:read, Resource)
)authorized?(:create, Resource)
)authorized?(:destroy, Resource)
)These work great for simple cases:
When using the CanCan block API they present a potential security risk, though:
As described in CanCanCommunity/cancancan#200, by design, this results in:
This causes links to forbidden pages to be displayed in our app.
For complex authorization flows, it is not always possible to stick to the first Ability style. And even if a reformulation is easily possible, this behavior looks like a gotcha that should be mentioned in the docs.
The issue could be circumvented by passing symbols instead of classes (i.e.
can(:manage, :accounts)
). That would be a breaking change, though, and make the simple case harder.The text was updated successfully, but these errors were encountered: