Skip to content
This repository

Destroy action forces logout and cannot destroy resource. #382

Closed
ekampp opened this Issue May 20, 2011 · 13 comments

4 participants

Emil Kampp Brandon Hansen Ryan Bates Dan Kozlowski
Emil Kampp
ekampp commented May 20, 2011

Hi there.

I have set up devise and CanCan. And the index, show, new, create, edit and update methods are working fine, but for some reason the destroy method is breaking the authorization chain. For some reason CanCan is denying the admin (with :magage :all abilities) to destroy a record.

I have tried to simply display the can? :destroy, resource to se if i (logged in as the admin) would have access to destroying the resource (I trust that the view can? and the can? that load_and_authorize_resourceeventually calls are the same?!) and it seems that I should be able to destroy the record.

Is there any simple explenation for this, or is there something broken? I haven't been able to find any indications of similar problems online. So bare with me if the issue has a simple solution that I haven't found.

Best regards
Emil

Emil Kampp
ekampp commented May 20, 2011

I have tried to change the permission of any user to can :manage, :all and now the resource is deleted, but the user is still logged out afterwards.

Brandon Hansen

I noticed that you have :magage. That might be affecting it.

Emil Kampp
ekampp commented May 20, 2011

I just rechecked. I don't have that in my Ability class. So that was a typo when writing up the issue.

Ryan Bates
Owner
ryanb commented May 21, 2011

CanCan isn't doing anything special when destroying records. I don't see any reason why it would be logging the admin out unless that is part of the behavior when failing authorization.

Try removing the load_and_authorize_resource from the controller temporarily and see if it still logs the admin out. If not try adding this to an action.

raise CanCan::AccessDenied

and see if that has the same logout behavior.

Emil Kampp
ekampp commented May 21, 2011

If I remove the load_and_authorize_resource from the controller, then it raises the AuthorizationNotPerformed error. So I assume that I need to also write in the skip_authorization_check in the same controller?

If the above is the case, then it still logs me out after destroying an object. Good catch. I guess that means that it's something with devise?

Emil Kampp
ekampp commented May 22, 2011

Further information:
I have tried to put the load_and_authorize_resource back into the controller, and the logout problem persists (as expected) but also I'm still not allowed to destroy records.

def initialize(user)
user ||= User.new

if user.account_admin?
can :manage, :account
end
if user.admin?
can :manage, :all
else
can :read, :all
end

Emil Kampp ekampp closed this May 22, 2011
Emil Kampp ekampp reopened this May 22, 2011
Emil Kampp
ekampp commented May 22, 2011

I found something more. It turns out that I did have the AccessDenied in my ApplicationController. And that it did redirect to my login path each time it would deny someone access. And in turn devise logs out any user accessing the login-form. So it turns out that CanCan is denying the admin (with the :manage, :all-ability) permission to destroy records.

Ryan Bates
Owner
ryanb commented May 22, 2011

Try Debugging Abilities in the console and see if you can duplicate this behavior. If it works there then perhaps the current_user isn't being passed through properly on the controller side. Hmm.

Emil Kampp
ekampp commented May 22, 2011

Ok. I tried that, and the ability.can?(:destroy, project) returned true, so it seems that this isn't the problem. But how would I check if the current_user is parsed probably? Where in the CanCan code is the Ability.new(current_user) called? So I can work from there?

Emil Kampp ekampp closed this May 23, 2011
Emil Kampp
ekampp commented May 23, 2011

After some trawling I found that you'r right. The user session has stopped existing at the time the can? method was called. I fixed this by adding the csrf-tag to the html view. This was apparently a thing about clearance.

Ryan Bates
Owner
ryanb commented May 24, 2011

Glad you got it working. In case anyone else comes across a similar issue, the Ability.new(current_user) code is inside the ControllerAdditions#current_ability module in CanCan. You can override current_ability in any controller to change the behavior and test it there.

Dan Kozlowski

Awesome. I have been struggling with this issue for several hours; the title should be appended with: "and cannot destroy resource".

Ryan Bates
Owner
ryanb commented July 23, 2011

@dankozlowski changed the title, thanks for the suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.