0

From what I understand, CanCan authorizes the create and update actions once at load and again when the params hash is assigned.

Is there a way to skip the second authorization check with the new params hash? Here's a scenario where this causes a problem:

I have model that blocks editing when the date is in the past (basically the records become history once a date passes). If I edit a record whose date is still in the future, and assign it a date in the past, rather than having the validation deal with it, the ability that blocks historical records raises a CanCan::Unauthorized exception. This is bad for usability. Is there a way around this?

Dowker
  • 69
  • 4
  • please put here your authorization condition. I think you might be doing the conditional with the to-be saved object instead of the persisted object – Ismael Abreu May 28 '12 at 21:18

2 Answers2

0

If I understood correctly, you want to allow opening only records with date in the future for edit (edit action, editing form), but be able to perform update action (saving the form) for all records, even with passed date in params.

Probobly, you should write different abilities for edit and update actions. Like

can :edit, YourModel do |model|
  model.date > Date.today # something like this
end

can :update, YourModel

But you need to add additional check with this approach (in update action, maybe, or in validator), because anybody can change record by sending generated by hands post request.

Flexoid
  • 4,155
  • 21
  • 20
  • That's not good. It would be possible to update any model this way. You just couldn't have a form to do it. But with something like curl you could update it – Ismael Abreu May 28 '12 at 21:23
0

I don't know what's your current situation but I think you could do something like this. 

can :update, Model do |model|
  persisted_date = model.changes[:date].first
  persisted_date > Date.today 
end
Ismael Abreu
  • 16,443
  • 6
  • 61
  • 75
  • Remember this is CanCan 2. My abilities rules lock everything down as needed. The problem is when submitting a form and the user inputs a past date (which is blocked by CanCan), the app redirects to an error page rather than showing the form with a validation error. This is a usability issue I'm trying to fix. Submitting the wrong date and getting some error page is bad UX. – Dowker May 28 '12 at 22:16
  • can you show abilities codes you have? I'm not familiar with older versions of cancan – Ismael Abreu May 28 '12 at 22:29
  • What do you mean older versions? I'm using CanCan 2. I don't think you understand the question. The abilities work as I need them to. What I would like to skip is the authorization performed on the submitted params hash so as to let my validations do their job. – Dowker May 28 '12 at 22:49