There is a bug in ActiveRecord::Associations::HasManyAssociation#delete_records_with_hobo_permission_check
that causes deletion from has_many_through associations to fail when the delete_permitted
implementation depends on the associated object.
Basically, it checks the permissions on an almost randomly selected member of the join table
because it applies only half of the conditions necessary to find the correct joiner record.
The default implementation of destroy_permitted? hides this problem since it only
depends on the user and not at all on the object being destroyed. Thus, it does not
care that it is checking permissions on the wrong instance.
I'll submit a PR with a fix that solves the problem by basing the query off of the
through_association rather than the model.
iox
commented
9 years ago
There is a bug in ActiveRecord::Associations::HasManyAssociation#delete_records_with_hobo_permission_check that causes deletion from has_many_through associations to fail when the delete_permitted implementation depends on the associated object.
Basically, it checks the permissions on an almost randomly selected member of the join table because it applies only half of the conditions necessary to find the correct joiner record.
The default implementation of destroy_permitted? hides this problem since it only depends on the user and not at all on the object being destroyed. Thus, it does not care that it is checking permissions on the wrong instance.
I'll submit a PR with a fix that solves the problem by basing the query off of the through_association rather than the model.