Carlos Palhares

@coorasse not really, because the rules are defined on `User`, not on `Department`. ```ruby can :contact, User, { department: { id: user.department_id } } can :contact, User, { department: {...

In case this is accepted, would it be fine to backport/release this to 5.x and 6.x?

> > would it be fine to backport/release this to 5.x and 6.x? > > No. We don't backport new features to stable releases. I get it, but in this...

For anyone with this issue, this script looks good to find what you serialize: https://gist.github.com/crawler/47a1e66ee2c2ea37f56f9c0c2aac071a

@rafaelfranca I guess it makes sense. Thanks! We're using the [aforementioned script](https://gist.github.com/crawler/47a1e66ee2c2ea37f56f9c0c2aac071a) to figure out the classes so we can properly fix this CVE in our app. If you're running...

The behavior in the bug report is what I would expect, not an exception. Selecting attributes without the primary key is a valid scenario. Also, checking if `id` is "truthy"...

> No, because the primary can not be `nil` or `false`. I mean if the model in question doesn't use `id` as the primary key.

> If you mean `id` as a column name, then calling `#id` method actually returns the record's primary key - https://api.rubyonrails.org/classes/ActiveRecord/AttributeMethods/PrimaryKey.html#method-i-id that I didn't know, good info!

@frantisekrokusekpa I'm going to backport this to rails 5 and was wondering why have the global procs if you could just refer to instance methods? For instance: This: ```ruby #...

:+1: