search

chaps-io / access-granted

Multi-role and whitelist based authorization gem for Rails (and not only Rails!)
MIT License
774 stars 41 forks source link

Weird bug in 1.0.4: permissions don't seem to be inherited from lower-privileged users #20

Closed vittorius closed 8 years ago

vittorius commented 8 years ago

@pokonski Hello, Piotr. Something wrong goes with v1.0.4.

Policy file:

role :admin, proc { |user| user.admin? } do
  can :access, :direct_user_creation

  can :read, User
  can :create, User
  can :destroy, User
end

role :planner, proc { |user| user.planner? } do
  can :manage, Merchant
end

This way, admin cannot :edit a particular merchant (checking with authorize! :edit, @merchant) of even :read Merchants.

I change it to

# ...
role :planner, proc { |user| user.planner? } do
  can :read, Merchant
  can :edit, Merchant
end
# ...

and still no way for :admin to :read or :edit Merchants

Then I go with:

role :admin, proc { |user| user.admin? } do
  can :access, :direct_user_creation

  can :read, User
  can :create, User
  can :destroy, User

  can :read, Merchant
  can :edit, Merchant
end

role :planner, proc { |user| user.planner? } do
  can :read, Merchant
  can :edit, Merchant
end

And only this setup allows my :admin to both :read and :edit Merchants.

Can you please check what could be the reason? I can provide any additional details that you may require. Thanks.

pokonski commented 8 years ago

Hi @vittorius!

The problem lies with this block

role :planner, proc { |user| user.planner? } do
  can :read, Merchant
  can :edit, Merchant
end

I assume that user.planner? returns false for the admin user. Am I right?

Only the blocks that have truthy procs will be used in inheritance.

vittorius commented 8 years ago

I see, the same inheritance principle must be honored in roles indication too. Thanks for the explanation.

pokonski commented 8 years ago

No problem, I will state this in the readme to avoid future misunderstandings from others, thanks!