It appears that the attributes passed to can are only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to #index and #show actions.
When Ability restricts access to attributes on a :read action, the controller helpers for #index and #show should automatically select only the subset of attributes that are permitted.
Actual behavior
The resources assigned by load_and_authorize_resource include all attributes of the model, even ones that should not be accessible
Steps to reproduce
It appears that the attributes passed to
canare only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to#indexand#showactions.See gist: https://gist.github.com/afn/441dfcf4ddc751b82f09af11bb356ba2
Expected behavior
When Ability restricts access to attributes on a
:readaction, the controller helpers for#indexand#showshould automatically select only the subset of attributes that are permitted.Actual behavior
The resources assigned by
load_and_authorize_resourceinclude all attributes of the model, even ones that should not be accessibleSystem configuration
Rails version: 7.1
Ruby version: 3.3.2
CanCanCan version: 3.5.0