stackoom
  简体   繁体   中英

cancancan ability returns false but is still accessible?

 原文  2021-04-16 14:01:25       ruby-on-rails/ cancan/ cancancan

Question

I have a standard cancancan setup. The Article model has an attribute approved . Then standard setup:

# articles controller

load_and_authorize_resource only: [:index, :show] 

def show 
end

# ability.rb

    # Solution 1
    # can :show, Article, { approved: true }


    # Solution 2
    can [:show], [Article] do |article|
      article.approved? 
    end

When I try either of the solutions, the results return as expected in the console or debugger (ie ability.can?(:show, @article) returns true if the article has been approved, and false otherwise).

The strange thing is, the show view is still accessible in the browser, when the false returned above clearly states that it shouldn't be accessible.

I can't work out why?

1 answers

solution1
 0  2021-04-16 15:54:29

After much help debugging in another forum, we never figured out why the above didn't work. But the desired behaviour was implemented by not using load_and_authorize_resource , and instead placing this in the controller action:

authorize! :show, @article

I'd be very curious to understand why this approach works, but the initial approach doesn't.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cancancan gem defining ability Testing CanCanCan ability definition Cancancan ability for guest user CanCanCan Ability Viewing in the UI Cancancan ability for specific case ActiveAdmin Sortable and Cancancan Ability Rails Cancancan define ability on 3 association Defining a complex ability using CanCanCan Nil user in CanCanCan ability.rb Cancancan passing an object through ability check
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM