search

kristianmandrup / cantango

CanCan extension with role oriented permission management, rules caching and much more
MIT License
404 stars 45 forks source link

Attribute level authorization not working #25

Open vicwin opened 12 years ago

vicwin commented 12 years ago

I have create rule like this in the Role Permit can read_attributes(:phone, :state), User

and i am getting false by calling: user_can? read_attributes(:phone, :state), User

and read_attribute return a string like the following: ruby-1.9.3-p0 :005 > read_attributes(:phone, :state) => [:"readattr#{name}", :"readattr#{name}"]

What did i do wrong here?

Thanks

kristianmandrup commented 12 years ago

looks like the read_attributes functionality isn't working correctly.

vicwin commented 12 years ago

is there a fix for this? i looked at the code and can't find the "read_attributes" method

kristianmandrup commented 12 years ago

See cantango/api/attributes.rb

module CanTango
  module Api
    module Attributes
      [:read, :edit].each do |action|
        define_method :"#{action}_attribute" do |name|
          :"#{action}_attr_\#{name}"
        end

        define_method :"#{action}_attributes" do |*names|
          names.select_symbols.map { |name| send("#{action}_attribute", name) }
        end
      end
    end
  end
end

Should most likely be changed to the following (too much meta-magic before!):

module CanTango
  module Api
    module Attributes
      def read_attribute name
        :"read_attr_#{name}"
      end

      def read_attribute name
        :"edit_attr_#{name}"
      end

      [:read, :edit].each do |action|
        define_method :"#{action}_attributes" do |*names|
          names.select_symbols.map { |name| send("#{action}_attribute", name) }
        end
      end
    end
  end
end

Let me know if it works ;)