Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
conditions are ignored? #615
Maybe it's me misusing CanCan, but see this simple paste (http://pastie.org/3872605)
This is with 1.6.7.
This comment has been minimized.
This comment has been minimized.Show comment Hide comment
Ok, according to https://github.com/ryanb/cancan/wiki/Nested-Resources I'm actually supposed to check against
The issue is in Rule#matches_conditions, when you do
There the conditions are never checked and it yields (IMHO) a false positive.
The semantic of checking against a class is that you verify that for some instance of that class this action might succeed. This is useful to not offer some kind of stuff in the first place (think: not linking to the create-task action). Whether some specific task can be created has to be checked against an instance of course.
Okay... but I still think that if you have:
Then the following should happen:
Point 3 is clearly giving more rights than it should have done when you defined the rule, even if it's somewhat a misuse of CanCan.
Hum, how do you check that someone has the right to read a task for any person if you don't have a person instance at hand?
E.g for admins, you give them the following right:
And for normal users you give them the right to read their own tasks only:
Now in some admin form you naturally do:
Can you see the problem I have? How am I supposed to do?
a) Can a user do something with this specific instance?
What you cannot ask is
c) Does the user have a role X
Roles are orthogonal to Abilities. E.g. you could define them as modules to add to your abilities and then check with
An a possibly simpler solution is to provide an instance when you want field-specific checks.
if can? :read, Task.new(:person => nil) ... end