New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CanCanCan a :create authorization #5282
Comments
Long question short, why should AA asks if the user is authorized to create an empty ticket in this case even before the form is submitted? The preliminary check to see if a user can create a generic Ticket in order to show/hide the create button is perfect. I just don't understand why before showing the form AA needs to check for the creation of an empty Ticket. |
Just trying to understand if the problem is only mine or if it is an AA issue no one ever crossed before. To me it seems that AA should check the create authorization mainly in 2 cases:
That's it! Why should AA check the following:
What if the current_user has only permission to create tickets where the authorization would fail and this is exactly where I'm stuck. I hope I explained myself a little better in order to know how to address the issue. |
Does this override makes sense at all? Can you think of any side effects: ActiveAdmin::ResourceController::DataAccess.module_eval do
def build_resource
get_resource_ivar || begin
resource = build_new_resource
resource = apply_decorations(resource)
run_build_callbacks resource
# this authorization check is the one we don't need anymore
# authorize_resource! resource
set_resource_ivar resource
end
end
end
ActiveAdmin::ResourceController::DataAccess.module_eval do
def save_resource(object)
run_save_callbacks object do
return false unless object.validate # added it
authorize_resource! resource # added it
object.save(validate: false) # disabled validation since i do it 2 lines up
end
end
end |
Wouldn't that allow anyone even without the ability to create at least go as far as the form and fill in data? They wouldn't be able to actually create anything because of where you moved the I say change the def build_resource
get_resource_ivar || begin
resource = build_new_resource
resource = apply_decorations(resource)
run_build_callbacks resource
authorize! Authorization::CREATE, active_admin_config.resource_class
set_resource_ivar resource
end
end
end That would prevent access before going to the "New Ticket" form and your present validation in I will say that the reason AA probably hasn't tackled it this way is how it would handle form validation and errors on the form if it was record was itself valid but the user wasn't authorized to create that resource. Not sure how it's currently handle, but I'm pretty sure it wouldn't be a nice recovery from that kind of problem (user input lost, navigated to a different page, etc.). |
For anybody else encountering this problem, I believe the simplest solution is to use a
|
I created some rules and one of them is the following:
This should allow the currently authenticated user to create tickets only when author_id is equal the user's id.
From rails console I can test that my rule works fine:
Considering that I'm using ActiveAdmin, I now need to use my authorization rules with it by using its ActiveAdmin::AuthorizationAdapter.
One problem I am facing is that whenever I create a "New Ticket" I get access denied.
I doubled checked what condition is failing and it seems that AA asks for the following:
When I believe it should ask for the following instead:
Ticket.new has all parameters set to nil:
that is why my CanCanCan hash condition is failing (author_id = nil is not valid, it should be user_id instead).
Is there a a possibile fix for this? Maybe I'm setting my CanCanCan rule in the wrong way?ActiveAdmin is also offering a CanCanCan adapter out of the box so I'm wondering how this could have been overlooked at.
The text was updated successfully, but these errors were encountered: