Open
Description
Consider the following
role :employee do
has_permission_on :foo do
if_attribute :has_special_permission? => is{true}
end
end
class User < ActiveRecord::Base
def has_special_permission?
#fancy permission logic
end
end
class FooController
filter_access_to :index, attribute_check: true
end
<% if permitted_to?(:show, :foo, object: current_user) %>
<!-- this link is scattered throughout the app -->
<%= link_to "Foo", foo_path %>
<% end %>
The intent here is that we have a non-resourceful controller and we want to check that a particular user has permission for this controller based on non-trivial logic buried in the User model.
The problem is in: https://github.com/stffn/declarative_authorization/blob/master/lib/declarative_authorization/in_controller.rb#L195
where :skip_attribute_test is determined based on the object variable which has not yet been overridden by the merge of the options passed in. So if object is present in the override hash, :skip_attribute_test does not seem to reflect the intended behavior, which is: if object is present, don't skip the attribute test.
Is this a bug or is there a different way I should be accomplishing this?
Thanks!
Metadata
Metadata
Assignees
Labels
No labels