:read not the same as [:index, :show]? #302

Closed
sethvargo opened this Issue Mar 12, 2011 · 3 comments

2 participants

@sethvargo

According to all documentation, the :read action is aliased to both :index and :show:

alias_action :index, show, :to => :read

However, consider the following scenario with nested resources:

resources :posts
  resources :comments
end

If I define abilities like this:

# ability.rb
can :read, Post
can :show, Comment

# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization

things work as expected. However, if I change the :read action to [:index, :show]:

# ability.rb
can [:index, :show], Post
can :show, Comment

# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization

I am unauthorized to access /posts/:post_id/comments, /posts/:post_id/comments/:id, etc. I still, however, can access both :index and :show for the posts_controller.

How is possible that these actions are "aliased", if they behave differently?

In my fiddling, I also came across the following. Changing load_and_authorize_resource to the following allowed access:

# ability.rb
can [:index, :show], Post
can :show, Comment

# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
@ryanb
Owner

Bot the :index and :show actions point to the :read action. When CanCan authorizes a parent resource it uses the :read action directly which is why you're seeing this behavior.

can :read, Product
can [:index, :show], Category
can? :read, Product # returns true
can? :read, Category # returns false since it doesn't have :read permission, only :index and :show

I think this has caused confusion before, so I will change the internal behavior to never use the :read action directly. Instead for the parent resource I'll change it to use :show and for the accessible_by default I will use :index instead of :read. Thanks for bringing this to my attention.

@sethvargo

No problem. I'm working a very complex authorization application and, of course, I am running into the most bizarre errors and possibilities :(. Thanks for responding so quickly!

@ryanb
Owner

making accessible_by action default to :index and parent action default to :show so we don't check :read action directly - closed by fdd5ad0

@mphalliday mphalliday pushed a commit that referenced this issue Oct 11, 2011
@ryanb making accessible_by action default to :index and parent action defau…
…lt to :show so we don't check :read action directly - closes #302
fdd5ad0
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment