ActiveRecord::ReadOnlyRecord for nested rules

[vanboom]

ability.rb: can :manage, Customer, :team=>{:id=>user.team_ids}

controller / update method: @customers = Customer.accessible_by(current_ability).find(params[:id])

result: ActiveRecord::ReadOnlyRecord

I am trying to protect access in the update method so users cannot post updates to a Customer that does not have the same "team" tag.

Is there a way to inhibit the read-only effect caused by the join?

thanks!

[the8472]

I think there's a method .readonly(false) which you can insert into the chain after the accessible_by

[VorontsovIE]

I faced to similar issue (and also there is similar issue https://github.com/ryanb/cancan/issues/357). In my case when ActiveRecord uses joins for nested hashes - it marks object as readonly. The easy workaround is to patch CanCan::ModelAdapters::ActiveRecordAdapter#database_records with readonly(false) I prepared a commit but actually I'm not sure if it's correct to mark joined records as not-readonly. Can anyone explain why it's bad to change records which have additional columns?

[xhoy]

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!