Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

STI and checking permissions using a hash #915

Closed
chrisroos opened this Issue · 4 comments

2 participants

@chrisroos

I've got an STI model with a has_many association (Page and BlogPost). My permissions are set-up such that a user can :read the child object (Comment) if they authored the parent object.

Checking the permissions using can? :read, <instance-of-comment> works as I'd expect.

Checking the permissions using can? :read, <instance-of-page> => Comment works as I'd expect.

Checking the permissions using can? :read, <instance-of-blog-post> => Comment doesn't work as I'd expect: It always reports that the user can read the comment. I think I'd expect CanCan to 'know' that a BlogPost is a subclass of Page and check the permissions accordingly.

I've got a demo application including a failing test that illustrates this problem in more detail - https://github.com/chrisroos/cancan-rails-sti-play. The failing test is at https://github.com/chrisroos/cancan-rails-sti-play/blob/master/test/models/ability_test.rb#L66

Does this seem like a problem or am I misunderstanding CanCan's behaviour?

@jaredbeck

It looks like maybe cancan doesn't support inheritance in nested resources. I may have reproduced this issue with a failing spec in spec/cancan/ability_spec.rb:

jaredbeck@879c802

If you want to work on adding this new feature, you might check out rule#nested_subject_matches_conditions?.

Or, as a workaround, you could try adding another rule in your Ability, eg.

can :read, Comment, blogpost: {user_id: user.id}
@chrisroos

Thanks for looking into it, @jaredbeck.

Rather than adding another rule to our Ability, I ended up avoiding the :through option in our calls to authorize_resource. As far as I can see it's the :through option in combination with STI models that results in the can? <permission>, <instance-of-parent> => <class-of-child> format being used. Without the :through option, we can rely on checking the permission using an <instance-of-child> which works correctly.

I'm not planning to try to fix this problem but figure this ticket might be useful for anyone else coming up against the same thing.

@jaredbeck

I ended up avoiding the :through option ..

I'm glad you found a workaround.

I'm not planning to try to fix this problem ..

That's fine. Cancan doesn't seem to be accepting any pull requests these days, anyway. Please go ahead and close this.

@chrisroos

Closing as per @jaredbeck's suggestion.

@chrisroos chrisroos closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.