Class match kind_of? for extended models #815

Open
srcnix opened this Issue Jan 30, 2013 · 2 comments

Projects

None yet

2 participants

@srcnix

Just a heads up, I've spent a few hours trying to workout why two model checks with can? were returning true, despite only one was set for the user. Take the following as an example:

class Support::Ticket
  ...
end

class Support::AccountTicket < Support::Ticket
  ...
end

The above two models need to act as separate permissions.

class Ability
  def initialize(user) 
    can :update, Support::Ticket
    # cannot :update, Support::AccountTicket
  end
end

Checking against Support::AccountTicket returns true, as it inherits from Support::Ticket.

current_user.can?(:update, Support::Ticket)
>> true
current_user.can?(:update, Support::AccountTicket)
>> true

The issues seems to lie in the matches_subject_class? method: https://github.com/ryanb/cancan/blob/master/lib/cancan/rule.rb#L93

kind_of? checks super classes, so may be worth re-writing this, or at least allowing a class to have an option set to ignore super classes on checks as I can see inheritance checks actually being useful in a different scenario.

@srcnix

I'm afraid I haven't time to find a solution myself, as I have a work around that's just as useful and more tailored for my requirements.

@xhoy

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment