search

ryanb / cancan

Authorization Gem for Ruby on Rails.
MIT License
6.27k stars 783 forks source link

Ability class: Blocks to cannot have no effect #1007

Closed oldschoolguy closed 10 years ago

oldschoolguy commented 10 years ago

If you are specifying cannot rules with block arguments in the Ability class, the block argument has no effect.

How to reproduce:

app/models/ability.rb:

class Ability
  ...
  cannot :something, Post do |p|
    true
  end

  cannot :otherthing, Post do |p|
    false
  end
  ...
end

Rails console:

>> Ability.new(User.first).can?(:something, Post)
=> false
>> Ability.new(User.first).can?(:something, Post.first)
=> false
>> Ability.new(User.first).can?(:otherthing, Post)
=> false
>> Ability.new(User.first).can?(:otherthing, Post.first)
=> false

The return value is false for all possible combinations - hence specifying the block has no effect.

Can somebody provide me with a solution for this?

Halloran commented 10 years ago

I think the confusion here is that Ability will default to false. Unless you've explicitly granted the ability, it is not there.

cannot :otherthing, Post do |p| false end

Does not mean that the user can otherthing, it just falls back to the default. If you really want the functionality implied above, you should do:

can :otherthing, Post do |p| true end

oldschoolguy commented 10 years ago

OK, I get it. Makes perfect sense. Sorry for the confusion.