Skip to content

Overriding :object in #permitted_to? should change skip_attribute_test #208

Open
@synth

Description

@synth

Consider the following

    role :employee do
      has_permission_on :foo do
        if_attribute :has_special_permission? => is{true}
      end
    end
    class User < ActiveRecord::Base
      def has_special_permission?
         #fancy permission logic
      end
    end

    class FooController
      filter_access_to :index, attribute_check: true
    end 
    <% if permitted_to?(:show, :foo, object: current_user) %>
      <!-- this link is scattered throughout the app -->
      <%= link_to "Foo", foo_path %>
    <% end %>

The intent here is that we have a non-resourceful controller and we want to check that a particular user has permission for this controller based on non-trivial logic buried in the User model.

The problem is in: https://github.com/stffn/declarative_authorization/blob/master/lib/declarative_authorization/in_controller.rb#L195

where :skip_attribute_test is determined based on the object variable which has not yet been overridden by the merge of the options passed in. So if object is present in the override hash, :skip_attribute_test does not seem to reflect the intended behavior, which is: if object is present, don't skip the attribute test.

Is this a bug or is there a different way I should be accomplishing this?

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions