GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
I found out that CanCan adds " AND (1=0)" to SqlQuery and break results, please look at this example:
class Partner::UsersController < Partner::BaseController
load_and_authorize_resource class: PartnerUser
SELECT `users`.* FROM `users` INNER JOIN `partner_users` ON `users`.`id` = `partner_users`.`user_id` WHERE `partner_users`.`partner_id` = 1 AND (1=0)"
If you have any suggestions I would be glad,
Please attach your ability file and the PartnerUser model.
I had the same issue with
downgrading to latest stable 1.6.8 fixed that issue.
I had a almost blank ability:
user ||= User.new
can :read, Empfehlungscode
=> "SELECT `empfehlungscodes`.* FROM `empfehlungscodes` WHERE (1=0)"
=> ""SELECT `empfehlungscodes`.* FROM `empfehlungscodes` "
I have the same problem, any suggestion to resolve it?
I was facing the same issue and solved it.
When the user is not allowed to :index and you try something like Model.accessible_by(current_ability).all it will add the WHERE (1=0) so as not to allow the user to list any item from the model.
can [:index], [Model]
And it will no longer add the WHERE (1=0).
I hope that helps... All the best!
I have also faced same issue.
I have installed two versions(1.6.7 and 1.6.8) and configured cancan 1.6.7 in GemFile as gem "cancan", "1.6.7"
gem "cancan", "1.6.7"
If user is allowed only :show action and cancan will append WHERE (1=0) when we try Model.accessible_by(current_ability, :show).
There is no problem only on first request after restarting server.
I'm really confused by the behaviour of the :index ability. Where is it documented? I can't find it mentioned in the wiki.
@callumlocke - By default, cancan adds some functionality based on the CRUD routes. Defining the :index ability has no behavior by itself, but :read is aliased to [:index, :show].
Whenever you call Model#accessible_by(ability) without defining a permission explicitly, it defaults to :read. Defining :index will allow you to have more fine grained control.
For instance, you may want to allow certain users to view individual phone numbers that aren't deleted, but never be able to list (or index) all phone numbers. You could do that like this:
deleted => false
# Somewhere in controllers
phone = PhoneNumber.new
ability.can? :show, phone #=> true
PhoneNumber.accessible_by(ability, :index) #=>