CanCan adds " AND (1=0)" to Sql Query #733

Open
swistaczek opened this Issue Aug 30, 2012 · 7 comments

Comments

Projects
None yet
8 participants

Hi,
I found out that CanCan adds " AND (1=0)" to SqlQuery and break results, please look at this example:

class Partner::UsersController < Partner::BaseController
  load_and_authorize_resource class: PartnerUser
...
SELECT `users`.* FROM `users` INNER JOIN `partner_users` ON `users`.`id` = `partner_users`.`user_id` WHERE `partner_users`.`partner_id` = 1 AND (1=0)"

If you have any suggestions I would be glad,
Thanks.

Collaborator

thedelchop commented Sep 24, 2012

Please attach your ability file and the PartnerUser model.

I had the same issue with

cancan 2.0.0.alpha

downgrading to latest stable 1.6.8 fixed that issue.
I had a almost blank ability:

class Ability
  include CanCan::Ability  
  def initialize(user)
    user ||= User.new
    can :read, Empfehlungscode
  end       
end      
# 2.0.0.alpha
>> Empfehlungscode.accessible_by(Ability.new(User.first)).to_sql
=> "SELECT `empfehlungscodes`.* FROM `empfehlungscodes`  WHERE (1=0)"

# 1.6.8
=> ""SELECT `empfehlungscodes`.* FROM `empfehlungscodes` "

vixlima commented Nov 1, 2012

Friends,

I have the same problem, any suggestion to resolve it?

Thanks

Andrew

Hi guys,

I was facing the same issue and solved it.

When the user is not allowed to :index and you try something like Model.accessible_by(current_ability).all it will add the WHERE (1=0) so as not to allow the user to list any item from the model.

Solution add

can [:index], [Model]

And it will no longer add the WHERE (1=0).

I hope that helps... All the best!

jmaniv commented Aug 13, 2013

I have also faced same issue.

I have installed two versions(1.6.7 and 1.6.8) and configured cancan 1.6.7 in GemFile as gem "cancan", "1.6.7"

If user is allowed only :show action and cancan will append WHERE (1=0) when we try Model.accessible_by(current_ability, :show).

There is no problem only on first request after restarting server.

I'm really confused by the behaviour of the :index ability. Where is it documented? I can't find it mentioned in the wiki.

@callumlocke - By default, cancan adds some functionality based on the CRUD routes. Defining the :index ability has no behavior by itself, but :read is aliased to [:index, :show].

https://github.com/ryanb/cancan/blob/master/lib/cancan/ability.rb#L303-309

Whenever you call Model#accessible_by(ability) without defining a permission explicitly, it defaults to :read. Defining :index will allow you to have more fine grained control.

For instance, you may want to allow certain users to view individual phone numbers that aren't deleted, but never be able to list (or index) all phone numbers. You could do that like this:

ability.can :show,
  PhoneNumber,
  deleted => false

ability.cannot :index,
  PhoneNumber

# Somewhere in controllers
phone = PhoneNumber.new
ability.can? :show, phone #=> true

PhoneNumber.accessible_by(ability, :index) #=> []
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment