The project uses cancancan gem 2.0.0. I have two actions in my controller where both show a list of articles and within the lists they share partials. Here's a reduced version of the abilities where I can point out the problem:
Article.rb
class Article < ApplicationRecord
scope :archived, -> {where("archived = TRUE")}
end
Ability.rb
class Article < ApplicationRecord
def initialize(user=User.new)
if user.has_role?(:archived_access)
cannot([:manage], Article)
# This block works well
can([:index, :edit, :update], Article, Article.archived) do |article|
article.archived_at > (Time.now - 3.months)
end
# Should give the ability of listing all the articles but those articles should not be editable for this user
can([:popular], Article)
end
end
end
The problem is that the second ability defined, :popular, somehow overrides the previous block abilities and the "archived_access" user ends up being able to :edit and :update articles that are not "archived".
Something important is to keep in mind that the articles table has over than half million records so the calls against the DB have to be done as optimized as possible.
Let me know your thoughts and any idea on how to make this work is welcome!
