Problem in authorizing nil object with singleton

[jmaniv]

I am using cancan 1.6.8 in my application

ApplicationController.rb

rescue_from ActiveRecord::RecordNotFound, :with => :throw_404
def throw_404
   redirect_to root_path, :flash => {:error => "Record not found"}
   #render :text => "40sdfasdfsdfsadf4 Not Found", :status => 404
end

routes.rb

resources :projects do
  resources :tasks
end

models/project.rb

has_one :task

ability.rb

can :read, Project, :user_id => current_user.id
can :manage, Task, :project => {:user_id => current_user.id}

tasks_controller.rb

class TasksController < ApplicationController
  load_and_authorize_resource :project
  load_and_authorize_resource :task, :through => :lab_visit, :singleton => true

  def show
    puts @task #=> nil
  end
end

url: http://localhost:3000/projects/2/tasks/1 Problem: CanCan doesn't authorize for nil object that means CanCan doesn't redirect to rootpath even @task object(@project.task)_ is nil (cancan allows to access show method). this happen only for singleton. I tested with has_many association(project has_many tasks) and redirecting with record not found exception.

I fixed this issue by calling authorize! :read, @task manually inside my show method then only cancan redirecting to root_path but I have already loaded load_and_authorize_resource :task in beginning of my TasksController.

How does CanCan authorize nil object ?

[xhoy]

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!