Skip to content

Loading…

Getting inconsistent results when using load_and_authorize with except/only #761

Open
abitdodgy opened this Issue · 1 comment

2 participants

@abitdodgy

Sorry about the long code! Those two lines should behave the same, but they don't:

  load_and_authorize_resource       only: [:edit, :update, :destroy]
  load_and_authorize_resource   except: [:show, :new, :create]

Any idea why? When I change from only to except, I get this failure:

Failures:

  1) UsersPages signing up with valid info creates a new user
     Failure/Error: expect { sign_up_as_user attributes_for(:user) }.to change(User, :count).by(1)
     CanCan::AccessDenied:
       You are not authorized to access this page.
     # (eval):2:in `click_button'
     # ./spec/support/utilities.rb:13:in `sign_up_as_user'
     # ./spec/requests/users_pages_spec.rb:11:in `block (5 levels) in <top (required)>'
     # ./spec/requests/users_pages_spec.rb:11:in `block (4 levels) in <top (required)>'
  describe "signing up" do
    context "with valid info", focus: true do
      it "creates a new user" do
        visit signup_path
        expect { sign_up_as_user attributes_for(:user) }.to change(User, :count).by(1)
        page.should have_selector('title', text: "Welcome")
      end
    end
  end

The utility function sign_up_as_user makes no different. Skipping it still cases the error, but here's the code:

def sign_up_as_user(user_attributes = {})
  fill_in "Name",         with: user_attributes[:name]
  fill_in "Email",        with: user_attributes[:email]
  fill_in "Password",     with: user_attributes[:password]
  fill_in "Confirmation", with: user_attributes[:password_confirmation]
  click_button "Sign up"
end

Here's my controller code:

class UsersController < ApplicationController
  before_filter :redirect_if_signed_in,  only: [:new, :create]
  before_filter :signed_in_user,            only: [:edit, :update, :destroy]

  # load_and_authorize_resource            only: [:edit, :update, :destroy]
  load_and_authorize_resource          except: [:show, :new, :create]

  def show
   ....

  def new
    @user = User.new
  end

  def create
    @user = User.new(params[:user])
    if @user.save
      sign_in @user
      redirect_to welcome_path
    else
      render 'new'
    end
  end
 ....
end

Ability:

  def initialize(user)
    user ||= User.new

    can :read, :all
    can :create, User
    can :create, Group

    can [:update, :destroy], User do |requested_user|
      requested_user == user
    end
    ....
  end
@xhoy

Dear submitter, Since cancan/raynB hasn't been active for more than 6 months and no body else then ryam himself has commit permissions the cancan project is on a stand still.
Since cancan has several issues including missing support for rails 4 cancan is moving forward to cancancan. More details on: #994

If your feel that your pull request or bug is still applicable (and hasn't been merged in to cancan) it would be really appreciated if you would resubmit it to cancancan (https://github.com/cancancommunity/cancancan)

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.