It appears that the attributes passed to can are only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to #index and #show actions.
When Ability restricts access to attributes on a :read action, the controller helpers for #index and #show should automatically select only the subset of attributes that are permitted.
Actual behavior
The resources assigned by load_and_authorize_resource include all attributes of the model, even ones that should not be accessible
Steps to reproduce
It appears that the attributes passed to
can
are only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to#index
and#show
actions.See gist: https://gist.github.com/afn/441dfcf4ddc751b82f09af11bb356ba2
Expected behavior
When Ability restricts access to attributes on a
:read
action, the controller helpers for#index
and#show
should automatically select only the subset of attributes that are permitted.Actual behavior
The resources assigned by
load_and_authorize_resource
include all attributes of the model, even ones that should not be accessibleSystem configuration
Rails version: 7.1
Ruby version: 3.3.2
CanCanCan version: 3.5.0