-
-
Save CJStadler/2d6e6644a72286c823d71c3b96b92a80 to your computer and use it in GitHub Desktop.
CanCanCan Issue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
begin | |
require 'bundler/inline' | |
rescue LoadError => e | |
$stderr.puts 'Bundler version 1.10 or later is required. Please update your Bundler' | |
raise e | |
end | |
gemfile(true) do | |
source 'https://rubygems.org' | |
gem 'rails', '6.1.7' # use correct rails version | |
gem 'cancancan', '3.5.0' # use correct cancancan version | |
gem 'sqlite3' # use another DB if necessary | |
end | |
require 'active_record' | |
require 'action_controller' | |
require 'cancancan' | |
require 'minitest/autorun' | |
require 'logger' | |
require 'cancan/model_adapters/conditions_extractor' | |
require 'cancan/model_adapters/conditions_normalizer' | |
require 'cancan/model_adapters/sti_normalizer' | |
require 'cancan/model_adapters/active_record_adapter' | |
require 'cancan/model_adapters/active_record_4_adapter' | |
require 'cancan/model_adapters/active_record_5_adapter' | |
require 'cancan/model_adapters/strategies/base' | |
require 'cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery' | |
require 'cancan/model_adapters/strategies/joined_alias_exists_subquery' | |
require 'cancan/model_adapters/strategies/left_join' | |
require 'cancan/model_adapters/strategies/subquery' | |
# This connection will do for database-independent bug reports. | |
ActiveRecord::Base.establish_connection(adapter: 'sqlite3', database: ':memory:') | |
ActiveRecord::Base.logger = Logger.new(STDOUT) | |
# create your tables here | |
ActiveRecord::Schema.define do | |
create_table :documents, force: true do |t| | |
end | |
create_table :users, force: true do |t| | |
t.string :role | |
end | |
create_table :document_authors, force: true do |t| | |
t.integer :user_id | |
t.integer :document_id | |
end | |
end | |
class Document < ActiveRecord::Base | |
has_many :document_authors | |
has_many :users, through: :document_authors | |
end | |
class User < ActiveRecord::Base | |
has_many :document_authors | |
has_many :documents, through: :document_authors | |
end | |
class DocumentAuthor < ActiveRecord::Base | |
belongs_to :document | |
belongs_to :user | |
end | |
class Ability | |
include CanCan::Ability | |
def initialize(user) | |
# Users can read documents they are an author of | |
can :read, Document, document_authors: {user_id: user.id} | |
# This approach passes the `can?` test but fails the `accessible_by` test on 3.5.0 | |
# can :read, Document, document_authors: {user: {id: user.id}} | |
end | |
end | |
class BugTest < Minitest::Test | |
def test_users_can_only_read_own_documents | |
user1 = User.create! | |
document_by_user1 = Document.create!(users: [user1]) | |
document_without_user = Document.create! | |
# This user is not the author of any documents. | |
anonymous_user = User.new | |
ability = Ability.new(anonymous_user) | |
assert !ability.can?(:read, document_by_user1) | |
# This passes in 3.4.0 but fails in 3.5.0 | |
assert !ability.can?(:read, document_without_user) | |
documents = Document.accessible_by(ability, :read) | |
# This fails in both 3.4.0 and 3.5.0 | |
assert_equal 0, documents.size | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment