accessible_by is not using model adapter conditions properly #981

Closed
twessler opened this Issue Jan 8, 2014 · 1 comment

Comments

Projects
None yet
1 participant

twessler commented Jan 8, 2014

I am attempting to create nontrivial permissions for an ordering system using Rails 4.0.2 with CanCan 1.6.8. I have noticed some odd behavior when creating my test.

This is the relevant portion of defining the permissions:

  # Allow all actions on orders they create 
  ability.can :manage,
      PurchaseOrder,
      :order => { :creator_id => user.id }

  # Access their company's orders
  ability.can :access,
      PurchaseOrder,
      :order => { company_id: user.company_id }

  ...

  # Revoke read access -- mainly so accessible_by returns no results by default
  if <no access>
    ability.cannot :read,
          PurchaseOrder
  end

The permissions are correct:

  ability.can? :manage, po_he_created #=> true
  ability.can? :read, po_he_created #=> false
  ability.can? :access, po_from_his_company #=> true

However, the accessible_by helper is not working as I would expect it to:

  PurchaseOrder.accessible_by(ability, :read) #=> returns all Purchase orders in database

The model adapter is returning the correct conditions, but the SQL generated does not have the conditions:

  ability.model_adapter(PurchaseOrder, :read).conditions #=> "'t' = 'f'"

  PurchaseOrder.accessible_by(ability, :read).to_sql

  # => "SELECT "purchase_orders".* FROM "purchase_orders" INNER JOIN "orders" ON "orders"."orderable_id" = "purchase_orders"."id" AND "orders.orderable_type" = 'PurchaseOrder'

For now, I can get around this but I think that the behavior is unexpected.

I think this was a problem with my misunderstanding of how the abilities were aliased.

I will close this, because defining the permissions correctly fixes the issue.

twessler closed this Jan 16, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment