0

I'm using cancan with inherited resources and I'm encountering a strange issue (possibly bug?) where I defined a permission for an edit permission for a user and suddenly they are authorized to access the /edit action despite the ability returning false. So here's the behavior I'm experiencing.

class VenuesController < ApplicationController
  inherit_resources
  authorize_resource
end

Without an ability defined, my non-admin user is redirected from /venues/1/edit to the homepage. However, once I define an :update ability, I am not redirected whether the ability returns true or false. Here is the ability I want to define:

ability.rb

can :update, Venue do |venue|
  venue.admin_ids.map{|a| a.to_s}.include? user.id.to_s
end

This returns the correct value as I can see with my test as well as with a sanity check inside my view:

venues/edit.html.haml

= can? :update, @venue
#returns false

So, if I'm inside the edit action and my view says "I cannot update", shouldn't cancan be redirecting me from this page? As a double-sanity-check, I tried

can :update, Venue do |venue|
  false
end

and still no luck... I just find it strange that without any ability definition whatsoever, I'm redirected, but when I define an ability that returns false, I'm not redirected despite the view layer appropriately telling me I cannot edit. Any ideas? Is this a bug? Am I doing something wrong?

Furthermore, not only am I able to see the edit action, but actually make put requests to the resource and the resource saves.

Community
  • 1
  • 1
jdkealy
  • 4,807
  • 6
  • 34
  • 56
  • you are defining the :update action, but checking it on the edit action. sure that you are looking at the right place? – phoet Jan 28 '13 at 18:51
  • I thought cancan restricts update and edit with the "update" ability. – jdkealy Jan 28 '13 at 22:29
  • Anyhow even if I explicitly tell cancan that my user has no permissions to :edit, I still don't get redirected at all – jdkealy Jan 28 '13 at 22:53

0 Answers0