"additional_collection" attribute does't work with Rails 4 by default

[tanelj]

It seems that :additional_collection attribute is ignored in Rails 4 (4.2.1) or when :strong_parameters is set to true. Example:

filter_resource_access context: :users, additional_collection: [:search]

Accessing to /users/search tries to load object a raises error:

filter_access_to tried to find User from params[:id] (nil), because attribute_check is enabled and @user isn't set, but failed: ActiveRecord::RecordNotFound: Couldn't find User with 'id'=

At the moment the line

declarative_authorization/lib/declarative_authorization/in_controller.rb

Line 510 in 45e91af

no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections

is:

no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections

But it seems that correct one should be:

no_attribute_check_actions = options[:strong_parameters] ? collections.merge(actions_from_option([:create])) : collections

@zeiv - is that correct?

[viacommits]

You are right, it should merge from the collections variable to pick up :additional_collection. Good catch!