Permissions with blocks work too persmissive (block is ignored)

Question

Permissions with blocks work too persmissive (block is ignored)

vittorius opened this issue 9 years ago · 4 comments

Hello.

I have such policy:

can [:read, :update, :destroy], User do |user, merchant_admin|
  user.merchant.present? && created_user_is_of_creator_merchant?(merchant_admin, user)
end

and check

<% if can? :read, User %>
  <li><%= link_to 'Users', users_path %></li>
<% end %>

When I add byebug to policy block the execution even doesn't get stopped. So, looks like it looks at User at decides that it's enough.

Only when I comment out the policy definition, the check works.

Answer 1 · 2015-12-11T15:41:38.000Z

Update: looks like block works only when checking the User instances. But why would such definition permit any operation on class?

Answer 2 · 2016-02-14T07:17:44.000Z

@vittorius can you document the solution you used to get the block to execute?

Answer 3 · 2016-02-15T08:21:36.000Z

It's a dumb hack )

<% if current_user.has_privileges?(:admin) %>

(has_privileges? is just my method for model User which checks the it's in appropriate role)

Answer 4 · 2016-02-15T12:46:00.000Z

@vittorius

Update: looks like block works only when checking the User instances. But why would such definition permit any operation on class?

you are not meant to use :destroy or :update on classes. Because it doesn't make sense, you can't remove or update a class.

So the only permission you usually need to check on a class is :create.

If you want to allow someone to view users, specify the can :read, User separately from :update and :create