:read ability not applied in the same way for "index" and for "show" #784

Open
arojoal opened this Issue Nov 24, 2012 · 2 comments

Comments

Projects
None yet
2 participants

arojoal commented Nov 24, 2012

Hi, I'm using cancan 1.68 and i have a strange behaviour.

I have a Meeting and User models defined this way:

class Meeting < ActiveRecord::Base
    audited

    belongs_to :user
    has_many :meeting_users, :inverse_of => :meeting, :dependent => :restrict
    has_many :attendees, :through => :meeting_users, :source => :user

class User < ActiveRecord::Base
  has_many :meetings, :foreign_key => "user_id", :dependent => :restrict
  has_many :meeting_users, :dependent => :restrict
  has_many :attended_meetings, :through => :meeting_users, :source => :meeting

My ability model is like this:

class Ability
  include CanCan::Ability

  def initialize(user)
    #### MEETING access
    if user.role == "admin"
        can :manage, Meeting
    elsif user.role == "normal"
        can :read, Meeting, :user_id => user.id
        can :read, Meeting, :id => user.attended_meetings, :state => "closed"
        can :create, Meeting
        can :update, Meeting, :user_id => user.id
    else
    end
   # .....

When I tests "read" access theres is a strange behaviour... I have a user which is an "attendee" to a meeting. He has access to see this meeting in the list of meetings but he is not able to get that meeting in the "show" action... This is what I do with the console...

user = User.find_by_username("Alex Rojo")
ability = Ability.new(user)


1.9.2p320 :019 > Meeting.accessible_by(ability).first
  Meeting Load (0.4ms)  SELECT "meetings".* FROM "meetings" WHERE (("meetings"."id" IN (374648174, 51848956) AND "meetings"."state" = 'closed') OR (("meetings"."id" IN (281110143, 1018350795, 980190962) AND "meetings"."state" = 'closed') OR ("meetings"."user_id" = 1000831730))) LIMIT 1
 => #<Meeting id: 374648174, subject: "Prueba acceso seguidor a reunion cerrada", is_planned: false, start_datetime: "2012-11-04 17:31:42", end_datetime: nil, other_participants: "MyText", created_at: "2012-11-24 08:44:13", updated_at: "2012-11-24 08:44:13", user_id: 135138680, state: "closed", project_id: nil, is_periodic_meeting: false, parent_meeting_id: 298486374> 

1.9.2p320 :021 > ability.can?(:read , Meeting.accessible_by(ability).first)
  Meeting Load (0.3ms)  SELECT "meetings".* FROM "meetings" WHERE (("meetings"."id" IN (374648174, 51848956) AND "meetings"."state" = 'closed') OR (("meetings"."id" IN (281110143, 1018350795, 980190962) AND "meetings"."state" = 'closed') OR ("meetings"."user_id" = 1000831730))) LIMIT 1
 => false 

What is happening? how is it possible that I can't read a meeting that appears in the "accesible_by" list?

arojoal commented Nov 25, 2012

Hi, i've been able to solve the problem by changing Ability Model:

    elsif user.role == "normal"
        can :read, Meeting, :user_id => user.id
        can :read, Meeting, :id => user.attended_meetings, :state => "closed"

to:

    elsif user.role == "normal"
        can :read, Meeting, :user_id => user.id
        can :read, Meeting, :id => user.attended_meeting_ids, :state => "closed"

I think this is strange and it shouldn't happen. If a meeting appears as "accesible_by" it should always be ":readable", isn't it?

xhoy commented Apr 10, 2014

Dear submitter, Since cancan/raynB hasn't been active for more than 6 months and no body else then ryam himself has commit permissions the cancan project is on a stand still.
Since cancan has several issues including missing support for rails 4 cancan is moving forward to cancancan. More details on: #994

If your feel that your pull request or bug is still applicable (and hasn't been merged in to cancan) it would be really appreciated if you would resubmit it to cancancan (https://github.com/cancancommunity/cancancan)

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment