load_and_authorize through when no index ability on parent fails

[stellard]

#ability
can :show, Parent
can :index, Child

#controller
load_and_authorize_resource :parent
load_and_authorize_resource :child, :through => :parent

def index
end

The index action fails on not having the ability to :index Parent.
Access denied on index {#<Parent ..

Stepping through the code, Parent is authorized on :show first which is correct.

When authorizing Child:

    def authorize_resource
      unless skip?(:authorize)
        @controller.authorize!(authorization_action, resource_instance || resource_class_with_parent)
      end
    end

resource_instance is nil and resource_class_with_parent returns a hash:

subject_hash =  resource_class_with_parent
=> {<#Parent instance..> => Child(class) }

Child is then ignored completely when matching the rule

    def nested_subject_matches_conditions?(subject_hash)
      parent, child = subject_hash.first
      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
    end

It would appear this subject notation has to do with nesting and is no longer being used. resource_class_with_parent is not used anywhere else.

defining authorize_resource to return the resource class instead solves this issue.

    def authorize_resource
      unless skip?(:authorize)
        @controller.authorize!(authorization_action, resource_instance || resource_class)
      end
    end

The tests do not indicate an reason why this should not be the case all of the time. Is this behaviour intended?

[bryanrite]

No, I would think not. I'm not familiar with that part of the code, so I'll try and take a look, but I see no reason why a parent should have an index. I haven't actually run into this problem before and I do believe I have projects that should have, so I'll go double check they show the same issues.

Thanks for your help.