search

stffn / declarative_authorization

An unmaintained authorization plugin for Rails. Please fork to support current versions of Rails
MIT License
1.24k stars 233 forks source link

"additional_collection" attribute does't work with Rails 4 by default #204

Open tanelj opened 9 years ago

tanelj commented 9 years ago

It seems that :additional_collection attribute is ignored in Rails 4 (4.2.1) or when :strong_parameters is set to true. Example:

filter_resource_access context: :users, additional_collection: [:search]

Accessing to /users/search tries to load object a raises error:

filter_access_to tried to find User from params[:id] (nil), because attribute_check is enabled and @user isn't set, but failed: ActiveRecord::RecordNotFound: Couldn't find User with 'id'=

At the moment the line https://github.com/stffn/declarative_authorization/blob/45e91af20eba71b2828c5c84066bcce3ef032e8a/lib/declarative_authorization/in_controller.rb#L510 is:

no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections

But it seems that correct one should be:

no_attribute_check_actions = options[:strong_parameters] ? collections.merge(actions_from_option([:create])) : collections

@zeiv - is that correct?

zeiv commented 9 years ago

You are right, it should merge from the collections variable to pick up :additional_collection. Good catch!