Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

accessible_by returns records but can? returns false #814

Closed
jan0sch opened this Issue · 3 comments

3 participants

@jan0sch

Hi,

in my app reviewers can review submitted papers by creating a paper review. The author of the paper should be able to read the review.

ability.rb

if user.role == "reviewer"
  ...
  can :read, PaperReview, :reviewer_id => user.reviewer_ids
  can :update, PaperReview, :reviewer_id => user.reviewer_ids
elsif user.role == "author"
  ...
  can :create, Paper
  can :manage, Paper, :lecturer_id => user.lecturer_ids
  can :read, Paper, :lecturer_id => user.lecturer_ids
  cannot :approve, Paper
  cannot :read, PaperReview
  can :read, PaperReview, :paper_id => Paper.where(:lecturer_id => user.lecturer_ids)
end

Because my specs failed I fired up a console and did some debugging.

irb(main):003:0> PaperReview.accessible_by(ability)
  PaperReview Load (0.3ms)  SELECT "paper_reviews".* FROM "paper_reviews" WHERE "paper_reviews"."paper_id" IN (SELECT "papers"."id" FROM "papers" WHERE "papers"."lecturer_id" IN (1))
=> [#<PaperReview id: 1, paper_id: 1, reviewer_id: 1, approval_status: "good", reasons: "blabla", created_at: "2013-01-29 13:15:45", updated_at: "2013-01-29 13:19:17">, #<PaperReview id: 2, paper_id: 1, reviewer_id: 2, approval_status: "very_good", reasons: "sdsada sada", created_at: "2013-01-29 13:15:45", updated_at: "2013-01-29 13:19:39">]
irb(main):004:0> p = PaperReview.first
  PaperReview Load (0.2ms)  SELECT "paper_reviews".* FROM "paper_reviews" LIMIT 1
=> #<PaperReview id: 1, paper_id: 1, reviewer_id: 1, approval_status: "good", reasons: "blabla", created_at: "2013-01-29 13:15:45", updated_at: "2013-01-29 13:19:17">
irb(main):005:0> ability.can?(:read, p)
=> false

The methode accessible_by behaves as expected but can? returns false no matter what.

The funny thing is that ability.can?(:read, PaperReview) returns true instead of false.

@fmendez

I tried reproducing this, but im actually getting true for the can? call. Additionally, why should the ability.can?(:read,PaperReview) return false? Isn't this line can :read, PaperReview, :reviewer_id => user.reviewer_ids implying that it should return true?

1.9.2-p290 :014 > PaperReview.accessible_by(ability)
  PaperReview Load (0.1ms)  SELECT "paper_reviews".* FROM "paper_reviews" WHERE "paper_reviews"."reviewer_id" = 1
 => [#<PaperReview id: 1, created_at: "2013-02-17 16:53:20", updated_at: "2013-02-17 16:55:11", reviewer_id: 1, approval_status: "good", reason: "blabla">] 
1.9.2-p290 :015 > p = PaperReview.first
  PaperReview Load (0.2ms)  SELECT "paper_reviews".* FROM "paper_reviews" LIMIT 1
 => #<PaperReview id: 1, created_at: "2013-02-17 16:53:20", updated_at: "2013-02-17 16:55:11", reviewer_id: 1, approval_status: "good", reason: "blabla"> 
1.9.2-p290 :016 > ability.can?(:read,p)
 => true 
1.9.2-p290 :017 > ability.can?(:read,PaperReview)
 => true 
@jan0sch

The rights for the role "reviewer" are okay but the rights for the role "author" have the problem I have mentioned. Maybe that is because there is no direct connection between the models.

  ...
  cannot :read, PaperReview
  can :read, PaperReview, :paper_id => Paper.where(:lecturer_id => user.lecturer_ids)
  ...

An author user can have multiple lecturer ids (lecturers) and a lecturer can submit several papers. A paper review contains the id of the paper. The author should be able to read the review. As mentioned accessible_by returns the correct set of records but can? returns false on a paper review for the author of the paper.

@xhoy

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

@jan0sch jan0sch closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.