Block in role always evaluating true

chaps-io / access-granted

Multi-role and whitelist based authorization gem for Rails (and not only Rails!)

MIT License

774 stars 41 forks source link

Block in role always evaluating true #28

Closed noorhammad closed 8 years ago

noorhammad commented 8 years ago

This is my policy

# The most important admin role, gets checked first
    role :admin, proc {|u| u.admin? } do
      can [:new, :create, :edit, :update, :destroy], Project
    end
# Less privileged moderator role
    role :editor, proc {|u| u.editor? } do
      can [:new, :create], Project
      can [:edit, :update], Project do |project, user|
        project.user_id == user.id
      end
    end
...

In Project controller:

def edit
    authorize! :edit, Project
...

There is no restriction, my editor role is able to edit any project whether project.user_id matches user.id or not.

noorhammad commented 8 years ago

Solved my own problem, you have to pass an instance to authorize!

Working code (Project controller):

def edit
    authorize! :edit, @project

Notice @project not Project.

pokonski commented 8 years ago

can can [:new, :create, :edit, :update, :destroy], Project this also looks invalid, notice two cans

noorhammad commented 8 years ago

@pokonski just a typo here, wasn't in my code thankfully :+1:

pokonski commented 8 years ago

Cool :dancer:

MyklClason commented 6 years ago

This seems like rather bad defaults, if there is no explicit policy for authorize! :edit, Project then it should throw an error and certainly not simply pass it otherwise it leaves holes in the authorization.