Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

accessible_by returns records but can? returns false #814

Closed
jan0sch opened this Issue Jan 29, 2013 · 3 comments

Comments

Projects
None yet
3 participants

jan0sch commented Jan 29, 2013

Hi,

in my app reviewers can review submitted papers by creating a paper review. The author of the paper should be able to read the review.

ability.rb

if user.role == "reviewer"
  ...
  can :read, PaperReview, :reviewer_id => user.reviewer_ids
  can :update, PaperReview, :reviewer_id => user.reviewer_ids
elsif user.role == "author"
  ...
  can :create, Paper
  can :manage, Paper, :lecturer_id => user.lecturer_ids
  can :read, Paper, :lecturer_id => user.lecturer_ids
  cannot :approve, Paper
  cannot :read, PaperReview
  can :read, PaperReview, :paper_id => Paper.where(:lecturer_id => user.lecturer_ids)
end

Because my specs failed I fired up a console and did some debugging.

irb(main):003:0> PaperReview.accessible_by(ability)
  PaperReview Load (0.3ms)  SELECT "paper_reviews".* FROM "paper_reviews" WHERE "paper_reviews"."paper_id" IN (SELECT "papers"."id" FROM "papers" WHERE "papers"."lecturer_id" IN (1))
=> [#<PaperReview id: 1, paper_id: 1, reviewer_id: 1, approval_status: "good", reasons: "blabla", created_at: "2013-01-29 13:15:45", updated_at: "2013-01-29 13:19:17">, #<PaperReview id: 2, paper_id: 1, reviewer_id: 2, approval_status: "very_good", reasons: "sdsada sada", created_at: "2013-01-29 13:15:45", updated_at: "2013-01-29 13:19:39">]
irb(main):004:0> p = PaperReview.first
  PaperReview Load (0.2ms)  SELECT "paper_reviews".* FROM "paper_reviews" LIMIT 1
=> #<PaperReview id: 1, paper_id: 1, reviewer_id: 1, approval_status: "good", reasons: "blabla", created_at: "2013-01-29 13:15:45", updated_at: "2013-01-29 13:19:17">
irb(main):005:0> ability.can?(:read, p)
=> false

The methode accessible_by behaves as expected but can? returns false no matter what.

The funny thing is that ability.can?(:read, PaperReview) returns true instead of false.

fmendez commented Feb 17, 2013

I tried reproducing this, but im actually getting true for the can? call. Additionally, why should the ability.can?(:read,PaperReview) return false? Isn't this line can :read, PaperReview, :reviewer_id => user.reviewer_ids implying that it should return true?

1.9.2-p290 :014 > PaperReview.accessible_by(ability)
  PaperReview Load (0.1ms)  SELECT "paper_reviews".* FROM "paper_reviews" WHERE "paper_reviews"."reviewer_id" = 1
 => [#<PaperReview id: 1, created_at: "2013-02-17 16:53:20", updated_at: "2013-02-17 16:55:11", reviewer_id: 1, approval_status: "good", reason: "blabla">] 
1.9.2-p290 :015 > p = PaperReview.first
  PaperReview Load (0.2ms)  SELECT "paper_reviews".* FROM "paper_reviews" LIMIT 1
 => #<PaperReview id: 1, created_at: "2013-02-17 16:53:20", updated_at: "2013-02-17 16:55:11", reviewer_id: 1, approval_status: "good", reason: "blabla"> 
1.9.2-p290 :016 > ability.can?(:read,p)
 => true 
1.9.2-p290 :017 > ability.can?(:read,PaperReview)
 => true 

jan0sch commented Feb 17, 2013

The rights for the role "reviewer" are okay but the rights for the role "author" have the problem I have mentioned. Maybe that is because there is no direct connection between the models.

  ...
  cannot :read, PaperReview
  can :read, PaperReview, :paper_id => Paper.where(:lecturer_id => user.lecturer_ids)
  ...

An author user can have multiple lecturer ids (lecturers) and a lecturer can submit several papers. A paper review contains the id of the paper. The author should be able to read the review. As mentioned accessible_by returns the correct set of records but can? returns false on a paper review for the author of the paper.

xhoy commented Jul 1, 2014

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

@jan0sch jan0sch closed this Aug 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment