STI and checking permissions using a hash #915

Closed
chrisroos opened this Issue Aug 8, 2013 · 4 comments

2 participants

@chrisroos

I've got an STI model with a has_many association (Page and BlogPost). My permissions are set-up such that a user can :read the child object (Comment) if they authored the parent object.

Checking the permissions using can? :read, <instance-of-comment> works as I'd expect.

Checking the permissions using can? :read, <instance-of-page> => Comment works as I'd expect.

Checking the permissions using can? :read, <instance-of-blog-post> => Comment doesn't work as I'd expect: It always reports that the user can read the comment. I think I'd expect CanCan to 'know' that a BlogPost is a subclass of Page and check the permissions accordingly.

I've got a demo application including a failing test that illustrates this problem in more detail - https://github.com/chrisroos/cancan-rails-sti-play. The failing test is at https://github.com/chrisroos/cancan-rails-sti-play/blob/master/test/models/ability_test.rb#L66

Does this seem like a problem or am I misunderstanding CanCan's behaviour?

@jaredbeck

It looks like maybe cancan doesn't support inheritance in nested resources. I may have reproduced this issue with a failing spec in spec/cancan/ability_spec.rb:

jaredbeck@879c802

If you want to work on adding this new feature, you might check out rule#nested_subject_matches_conditions?.

Or, as a workaround, you could try adding another rule in your Ability, eg.

can :read, Comment, blogpost: {user_id: user.id}
@chrisroos

Thanks for looking into it, @jaredbeck.

Rather than adding another rule to our Ability, I ended up avoiding the :through option in our calls to authorize_resource. As far as I can see it's the :through option in combination with STI models that results in the can? <permission>, <instance-of-parent> => <class-of-child> format being used. Without the :through option, we can rely on checking the permission using an <instance-of-child> which works correctly.

I'm not planning to try to fix this problem but figure this ticket might be useful for anyone else coming up against the same thing.

@jaredbeck

I ended up avoiding the :through option ..

I'm glad you found a workaround.

I'm not planning to try to fix this problem ..

That's fine. Cancan doesn't seem to be accepting any pull requests these days, anyway. Please go ahead and close this.

@chrisroos

Closing as per @jaredbeck's suggestion.

@chrisroos chrisroos closed this Aug 16, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment