search

CanCanCommunity / cancancan

The authorization Gem for Ruby on Rails.
MIT License
5.55k stars 637 forks source link

can? should return false when there are no attributes that the current user can perform action on #816

Open michaelcohenunsw opened 1 year ago

michaelcohenunsw commented 1 year ago

Steps to reproduce

In the scenario where the current user has the ability to only edit/update certain attributes on a user model. If the current user has the "admin" role and @user has a role other than the "applicant" role, then using the can? doesn't seem to return the correct result. I can workaround the issue by changing can?(:update, @user) with @current_ability.permitted_attributes(:update, @user).any? in the user edit view template.

Please copy the following Gist and edit it to reproduce your issue: https://gist.github.com/michaelcohenunsw/c2dfb85ba36416aa7884672d8f588eab

Expected behavior

current_ability.permitted_attributes(:update, @user)
=> []
can? :update, @user
=> false

Actual behavior

current_ability.permitted_attributes(:update, @user)
=> []
can? :update, @user
=> true

System configuration

Rails version: 6.0.6.1

Ruby version: 2.7.6

CanCanCan version: 3.4.0

coorasse commented 3 months ago

Could you help me by adding a new test case? Thanks