Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Problem in authorizing nil object with singleton #802

Open
jmaniv opened this Issue · 1 comment

2 participants

@jmaniv

I am using cancan 1.6.8 in my application

ApplicationController.rb

rescue_from ActiveRecord::RecordNotFound, :with => :throw_404
def throw_404
   redirect_to root_path, :flash => {:error => "Record not found"}
   #render :text => "40sdfasdfsdfsadf4 Not Found", :status => 404
end

routes.rb

resources :projects do
  resources :tasks
end

models/project.rb

has_one :task

ability.rb

can :read, Project, :user_id => current_user.id
can :manage, Task, :project => {:user_id => current_user.id}

tasks_controller.rb

class TasksController < ApplicationController
  load_and_authorize_resource :project
  load_and_authorize_resource :task, :through => :lab_visit, :singleton => true

  def show
    puts @task #=> nil
  end
end

url: http://localhost:3000/projects/2/tasks/1
Problem: CanCan doesn't authorize for nil object that means CanCan doesn't redirect to root_path even @task object(@project.task) is nil (cancan allows to access show method).
this happen only for singleton. I tested with has_many association(project has_many tasks) and redirecting with record not found exception.

I fixed this issue by calling authorize! :read, @task manually inside my show method then only cancan redirecting to root_path but I have already loaded load_and_authorize_resource :task in beginning of my TasksController.

How does CanCan authorize nil object ?

@xhoy

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.