Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cancancan Gem to 3.2 #50693

Merged
merged 3 commits into from Mar 17, 2023
Merged

Update cancancan Gem to 3.2 #50693

merged 3 commits into from Mar 17, 2023

Conversation

Hamms
Copy link
Contributor

@Hamms Hamms commented Mar 10, 2023

To pick up support for Rails 6.1

Links

Testing story

Relying on existing tests to verify that this does not result in any change in functionality.

PR Checklist:

  • Tests provide adequate coverage
  • Privacy and Security impacts have been assessed
  • Code is well-commented
  • New features are translatable or updates will not break translations
  • Relevant documentation has been added or updated
  • User impact is well-understood and desirable
  • Pull Request is labeled appropriately
  • Follow-up work items (including potential tech debt) are tracked and linked

@Hamms Hamms added the Rails Upgrade All work related to upgrading the version of Ruby on Rails we use. label Mar 10, 2023
Hamms
Hamms commented Mar 14, 2023
View reviewed changes
dashboard/app/models/ability.rb
@@ -205,7 +205,7 @@ def initialize(user)
!script.old_professional_learning_course?
end
can [:read, :find], :regional_partner_workshops
can [:new, :create, :read, :update], TEACHER_APPLICATION_CLASS, user_id: user.id
can [:new, :create, :show, :update], TEACHER_APPLICATION_CLASS, user_id: user.id
Copy link
Contributor Author

@Hamms Hamms Mar 14, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a subtle one!

In addition to Rails 6.1 support, this version of CanCanCan also added support for single-table inheritance, meaning that permissions can now cascade to their descendants ancestors (edit: I got this backwards originally). Unfortunately, this revealed what I think is a bug in our implementation logic; our intent here is to grant teachers view permissions to the teacher application model. That model is based on our ApplicationBase model, the permissions of which also control the route that lets you query all applications.

We don't actually want teachers to be able to access that route, but because read is an alias for index plus show, we are implicitly (and I think accidentally) relying on single-table inheritance not working here to avoid this permission cascading up to the application dashboard controller.

The simple fix is to be more targeted in the permissions we grant.

@Hamms Hamms marked this pull request as ready for review March 14, 2023 20:19
@Hamms Hamms requested a review from a team March 14, 2023 20:29
@Hamms Hamms merged commit dad0f78 into staging Mar 17, 2023
@Hamms Hamms deleted the cancancan-3.2 branch March 17, 2023 00:17
@Hamms Hamms mentioned this pull request Mar 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sureshc sureshc sureshc approved these changes

@davidsbailey davidsbailey davidsbailey approved these changes

Assignees
No one assigned
Labels
Rails Upgrade All work related to upgrading the version of Ruby on Rails we use.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Hamms @sureshc @davidsbailey