search

stffn / declarative_authorization

An unmaintained authorization plugin for Rails. Please fork to support current versions of Rails
MIT License
1.24k stars 233 forks source link

Overriding :object in #permitted_to? should change skip_attribute_test #208

Open synth opened 9 years ago

synth commented 9 years ago

Consider the following

    role :employee do
      has_permission_on :foo do
        if_attribute :has_special_permission? => is{true}
      end
    end
    class User < ActiveRecord::Base
      def has_special_permission?
         #fancy permission logic
      end
    end

    class FooController
      filter_access_to :index, attribute_check: true
    end 
    <% if permitted_to?(:show, :foo, object: current_user) %>
      <!-- this link is scattered throughout the app -->
      <%= link_to "Foo", foo_path %>
    <% end %>

The intent here is that we have a non-resourceful controller and we want to check that a particular user has permission for this controller based on non-trivial logic buried in the User model.

The problem is in: https://github.com/stffn/declarative_authorization/blob/master/lib/declarative_authorization/in_controller.rb#L195

where :skip_attribute_test is determined based on the object variable which has not yet been overridden by the merge of the options passed in. So if object is present in the override hash, :skip_attribute_test does not seem to reflect the intended behavior, which is: if object is present, don't skip the attribute test.

Is this a bug or is there a different way I should be accomplishing this?

Thanks!

synth commented 9 years ago

Just realized this can be worked around by explicitly passing in :skip_attribute_test like so:

<% if permitted_to?(:show, :foo, object: current_user, skip_attribute_test: false) %>