Inconsistencies between permit and Model.with_permissions_to #201
Description
Hello,
I've the following rule:
role :generic_user do
has_permission_on :admin_users, :to => [:update,:show,:edit] do
if_attribute :id => is {user.id}, :test_method => true
end
end
test_method is defined like that:
class User < ActiveRecord::Base
has_and_belongs_to_many :roles
def test_method
true
end
def role_symbols
roles.select(:name).map {|r| r.name.parameterize.underscore.to_sym} << :generic_user
end
end
If I try to access the /admin/user page, the rule is well taken in consideration, I can change the return of test_method from true to false and permit seems to make his work correctly because I get the form if true and redirected to access_denied if false.
But if I try to make
<% User.with_permissions_to(:show, context: :admin_users).each do |u| %>
<%= u.name %>
<% end %>
(notice: I must set the context because my user controller is in an admin module)
This fails :
PG::InvalidTextRepresentation: ERROR: invalid input syntax for integer: "f"
LINE 1: ...ECT "users".* FROM "users" WHERE (("users"."id" = 'f' AND "u...
^
: SELECT "users".* FROM "users" WHERE (("users"."id" = 'f' AND "users"."id" = 'f'))
I get 't' or 'f', depending of the return value of the method.
But if I reverse the rule like this:
role :generic_user do
has_permission_on :admin_users, :to => [:update,:show,:edit] do
if_attribute :test_method => true, :id => is {user.id}
end
end
The access to the page still depends of the return value of test_method, but the with_permission_to doesn't fail and just ignore the first method part of the rule and only consider the "id is user.id" condition attribute.
I do that because I would like to define methods who would perform SQL queries to define hierarchical access rules.
Thank you for you work and future help,
PH