Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

CanCan - Forms #998

Open
alansikora opened this Issue Feb 22, 2012 · 8 comments

Comments

Projects
None yet
4 participants

Hello,

another CanCan limitation.

For example, I have an User model, and an UserImage model. With "accepts_nested_attributes_for", I can have one nested on the other one.

But if I allow a role to manage the User model, it will be able to change/create an UserImage as well on the nested form, even if I set "cannot :manage, UserImage", for example.

Is this right?

Collaborator

bbenezech commented Feb 22, 2012

Yes. And this is not the expected behavior.

  1. Nested form parent association should be hidden. (cases for :create and :update)
  2. Cancan should sanitize on the server side when the request comes back.

So maybe is something wrong with my code?

Or should I work on a patch?

I've updated the issue name, because there's more.

What about single fields? I just don't want to allow "manager" users to hide/show products, just change it's price.

For now, I'm using something like this (inside Ability model):

def initialize(user)
 unless user.is_admin?
  RailsAdmin.config do |config|
   config.model Product do
    edit do
     field :is_visible do
      visible false
     end
    end
   end
  end
 end
end

But, just like on issue #986, I think that this may be too dirty or hackish.

What's your opinion about this?

Another one.

How is it possible to do something like this:

I have a Post model, and an User model. An admin user, can edit posts and change the author, for example. But a regular user can only edit his own posts and create posts with himself as author.

It'd be wise to have an author field on Post form for the admin user, and not to have an author field for a regular user, you see?

Maybe this is related to another issue, but I think is something really important.

As I said on issue #986, lets try to figure out how to do this kind of complex operations between cancan and RA.

Collaborator

bbenezech commented Feb 22, 2012

Sorry I wasn't clear: I meant Yes you are right, and, no, this should not behave like that.

Nested forms is younger and needs some tweacking.

I'll have a look tmrw.

I'll have a look also, I'm an autholic programmer, so maybe I'll find out a good solution for those minor problems regarding forms and menus.

RailsAdmin.config do |config|
  config.authorize_with :cancan

  config.model Team do
    list do
      field :name
      field :created_at
      field :revenue do
        visible do
          current_user.roles.include?(:accounting) # metacode
        end
      end
    end
  end
end

Doesn't works...

I solved this like alansikora said

mad-raz commented Dec 1, 2014

@denniscastro alter the code to be

      ...
      field :revenue do
        visible do
          bindings[:view]._current_user.roles.include?(:accounting)
        end
      end
      ...

and it should work fine :D,
I've updated the wiki to be like the previous code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment