This repository has been archived by the owner on Dec 12, 2021. It is now read-only.
CanCan overly permissive with hash of conditions #929
Comments
|
SOLUTION: Curtsy of "ssorallen" at Stackoverflow. I think this example, or a similar example, would be helpful if it was added to the "Defining Abilities" page. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This issue is also on stack overflow.
http://stackoverflow.com/questions/18643913/rails-cancan-overly-permissive-with-hash-of-conditions
I'm having an issue with CanCan allowing access, when I don't think it should, when using a hash of conditions.
I have a rails model/table called projects, which controls access to documents and collections (sets of documents). Projects may be accessed by multiple users, called collaborators, if given permission by the project owner. There is also a collaborators table that tracks which users have access to which projects.
This all works as expected for read only access using a single permission or a single nested permission. For example, this works for collaborators:
can :read, Project, :collaborators => { :user_id => user.id }
can :read, Collection, :projects => { :collaborators => { :user_id => user.id } }
can :read, Document, :collection => { :projects => { :collaborators => { :user_id => user.id }}}
I have a case where users other than the owner may need to manage a project. I call these users "editors". To check for editors I have a boolean field in the collaborators table called "editor". To allow editors access I created the following hash of conditions in CanCan:
can :manage, Project, :collaborators => { :user_id => user.id }, :collaborators => { :editor => true }
However, this grants manage access to all collaborators if the editor field is true for any collaborator. I only want to grant manage access to a collaborator if the collaborator is also an editor, all other collaborators should only have read access. Since the above ability dose not work, I have an idea that what I need is something like this:
can :manage, Project, :collaborators => { :user_id => user.id AND :editor => true}
But I don't know how to do this. We are using PostgreSQL as our database if that helps. Thanks.
The text was updated successfully, but these errors were encountered: