cancancan icon indicating copy to clipboard operation
cancancan copied to clipboard
verified publisher icon CanCanCommunity

can? should return false when there are no attributes that the current user can perform action on

Open michaelcohenunsw opened this issue 2 years ago • 1 comments

Steps to reproduce

In the scenario where the current user has the ability to only edit/update certain attributes on a user model. If the current user has the "admin" role and @user has a role other than the "applicant" role, then using the can? doesn't seem to return the correct result. I can workaround the issue by changing can?(:update, @user) with @current_ability.permitted_attributes(:update, @user).any? in the user edit view template.

Please copy the following Gist and edit it to reproduce your issue: https://gist.github.com/michaelcohenunsw/c2dfb85ba36416aa7884672d8f588eab

Expected behavior

current_ability.permitted_attributes(:update, @user)
=> []
can? :update, @user
=> false

Actual behavior

current_ability.permitted_attributes(:update, @user)
=> []
can? :update, @user
=> true

System configuration

Rails version: 6.0.6.1

Ruby version: 2.7.6

CanCanCan version: 3.4.0

michaelcohenunsw avatar Feb 06 '23 23:02 michaelcohenunsw

Could you help me by adding a new test case? Thanks

coorasse avatar May 23 '24 15:05 coorasse