Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

:read not the same as [:index, :show]? #302

Closed
sethvargo opened this Issue · 3 comments

2 participants

@sethvargo

According to all documentation, the :read action is aliased to both :index and :show:

alias_action :index, show, :to => :read

However, consider the following scenario with nested resources:

resources :posts
  resources :comments
end

If I define abilities like this:

# ability.rb
can :read, Post
can :show, Comment

# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization

things work as expected. However, if I change the :read action to [:index, :show]:

# ability.rb
can [:index, :show], Post
can :show, Comment

# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization

I am unauthorized to access /posts/:post_id/comments, /posts/:post_id/comments/:id, etc. I still, however, can access both :index and :show for the posts_controller.

How is possible that these actions are "aliased", if they behave differently?

In my fiddling, I also came across the following. Changing load_and_authorize_resource to the following allowed access:

# ability.rb
can [:index, :show], Post
can :show, Comment

# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
@ryanb
Owner

Bot the :index and :show actions point to the :read action. When CanCan authorizes a parent resource it uses the :read action directly which is why you're seeing this behavior.

can :read, Product
can [:index, :show], Category
can? :read, Product # returns true
can? :read, Category # returns false since it doesn't have :read permission, only :index and :show

I think this has caused confusion before, so I will change the internal behavior to never use the :read action directly. Instead for the parent resource I'll change it to use :show and for the accessible_by default I will use :index instead of :read. Thanks for bringing this to my attention.

@sethvargo

No problem. I'm working a very complex authorization application and, of course, I am running into the most bizarre errors and possibilities :(. Thanks for responding so quickly!

@ryanb
Owner

making accessible_by action default to :index and parent action default to :show so we don't check :read action directly - closed by fdd5ad0

@mphalliday mphalliday referenced this issue from a commit
@ryanb making accessible_by action default to :index and parent action defau…
…lt to :show so we don't check :read action directly - closes #302
fdd5ad0
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.