Problem in authorizing nil object with singleton #802

jmaniv opened this Issue Jan 10, 2013 · 1 comment


None yet
2 participants

jmaniv commented Jan 10, 2013

I am using cancan 1.6.8 in my application


rescue_from ActiveRecord::RecordNotFound, :with => :throw_404
def throw_404
   redirect_to root_path, :flash => {:error => "Record not found"}
   #render :text => "40sdfasdfsdfsadf4 Not Found", :status => 404


resources :projects do
  resources :tasks


has_one :task


can :read, Project, :user_id =>
can :manage, Task, :project => {:user_id =>}


class TasksController < ApplicationController
  load_and_authorize_resource :project
  load_and_authorize_resource :task, :through => :lab_visit, :singleton => true

  def show
    puts @task #=> nil

url: http://localhost:3000/projects/2/tasks/1
Problem: CanCan doesn't authorize for nil object that means CanCan doesn't redirect to root_path even @task object(@project.task) is nil (cancan allows to access show method).
this happen only for singleton. I tested with has_many association(project has_many tasks) and redirecting with record not found exception.

I fixed this issue by calling authorize! :read, @task manually inside my show method then only cancan redirecting to root_path but I have already loaded load_and_authorize_resource :task in beginning of my TasksController.

How does CanCan authorize nil object ?

xhoy commented Jul 1, 2014

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment