Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

accessible_by is not using model adapter conditions properly #981

Closed
twessler opened this Issue · 1 comment

1 participant

@twessler

I am attempting to create nontrivial permissions for an ordering system using Rails 4.0.2 with CanCan 1.6.8. I have noticed some odd behavior when creating my test.

This is the relevant portion of defining the permissions:

  # Allow all actions on orders they create 
  ability.can :manage,
      PurchaseOrder,
      :order => { :creator_id => user.id }

  # Access their company's orders
  ability.can :access,
      PurchaseOrder,
      :order => { company_id: user.company_id }

  ...

  # Revoke read access -- mainly so accessible_by returns no results by default
  if <no access>
    ability.cannot :read,
          PurchaseOrder
  end

The permissions are correct:

  ability.can? :manage, po_he_created #=> true
  ability.can? :read, po_he_created #=> false
  ability.can? :access, po_from_his_company #=> true

However, the accessible_by helper is not working as I would expect it to:

  PurchaseOrder.accessible_by(ability, :read) #=> returns all Purchase orders in database

The model adapter is returning the correct conditions, but the SQL generated does not have the conditions:

  ability.model_adapter(PurchaseOrder, :read).conditions #=> "'t' = 'f'"

  PurchaseOrder.accessible_by(ability, :read).to_sql

  # => "SELECT "purchase_orders".* FROM "purchase_orders" INNER JOIN "orders" ON "orders"."orderable_id" = "purchase_orders"."id" AND "orders.orderable_type" = 'PurchaseOrder'

For now, I can get around this but I think that the behavior is unexpected.

@twessler

I think this was a problem with my misunderstanding of how the abilities were aliased.

I will close this, because defining the permissions correctly fixes the issue.

@twessler twessler closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.