Alessandro Rodi
Alessandro Rodi
Looks like a bug to me. Although if you need to define permissions on the Survey level I'd suggest having the `teacher_id` column defined already in the Survey to simplify...
mmm...yes...iut generates the name `toolkit_teachers_toolkits_2_3` instead of `toolkit_teachers_toolkits_3`. Most probably a bug in https://github.com/CanCanCommunity/cancancan/blob/fa14f3ed22ba3a09588bcd50b73069cf1ca42881/lib/cancan/model_adapters/conditions_extractor.rb#L50
Would be possible to get a gist to reproduce the issue? I am not sure I fully understood your use case.
Running dangerous :show permission when the resource name is passed and mismatch the controller name
I agree completely with the point, but I disagree with the fix. I believe the `load_and_authorize_resource :book` should recognise that :book is actually not a parent.
I am not exactly sure that I understand the use case. It feels to me that you should be able to do that already with `Department.accessible_by(:contact, current_ability)`
Would ``` can %i[index show], Product, count_on_hand: [1..Float::INFINITY] can %i[index show], Product, count_on_hand: nil ``` work? If so, I'd close this because the semantic seems legit.
can you provide a gist to reproduce your issue? Is not clear to me, sorry.
I confirm that I see the same behaviour.
changing the rule `can :read, Foo, user_roles: { user: user } #wrong` into `can :read, Foo, user_roles: { user_id: user.id } #correct` fixes the issue. But I still don't understand...
And the user can also see `http://cancan_error.localhost:3000/bars/1` which should be protected. By using the `id` instead of the association name `user` (which is not supported) fixes it