cancancan icon indicating copy to clipboard operation
cancancan copied to clipboard

Published 20 hours ago verified publisher icon CanCanCommunity

STI parent access denied after adding cannot on child

Open gryphon opened this issue 3 years ago • 2 comments

Steps to reproduce

We have the following STI inheritance: Toyota < Car

Setting the rules:

can :read, Car
cannot :read, Toyota

Checking the roles:

can? :read, Car # results to false

Expected behavior

can? :read, Car # should be true

Because we granted an access to all types of Car except Toyota

Actual behavior

can? :read, Car # results to false

System configuration

Rails version: 7.0.2

Ruby version: 3.0.3

CanCanCan version: 3.3.0

gryphon avatar Feb 11 '22 10:02 gryphon

There is currently an open pull request: https://github.com/CanCanCommunity/cancancan/pull/689 which should fix this issue.

ghost avatar Feb 15 '22 09:02 ghost

Seems that this issue is not still fixed. There is the test in repo but it works only for non-STI relation:

    it 'cannot rules are not effecting parent class' do
      u1 = User.create!(name: 'pippo')
      ability = Ability.new(u1)
      ability.can :manage, Parent
      ability.cannot :manage, Child
      expect(ability).not_to be_able_to(:index, Child)
      expect(ability).to be_able_to(:index, Parent)
    end

If we have Child inherited from Parent using STI, this would not pass.

gryphon avatar Feb 27 '23 15:02 gryphon