Skip to content
This repository has been archived by the owner on Dec 12, 2021. It is now read-only.

CanCan::InsufficientAuthorizationCheck, but the record is saved nonetheless #699

Open
acesuares opened this issue Jul 25, 2012 · 3 comments
Open

CanCan::InsufficientAuthorizationCheck, but the record is saved nonetheless #699

acesuares opened this issue Jul 25, 2012 · 3 comments

Comments

@acesuares
Copy link

In ability.rb I have:

    user ||= user.new # guest user

    if user.id == 1 #quick hack
      can :access, :all
    elsif
      can :read, :domains, [:name, :entries], :user_id => user.id
      can [:read, :update], :domains, [:autoapprove, :use_recaptcha], :user_id => user.id
      can :read, :entries, :domain => { :user_id => user.id }
      cannot :read, :entries, :domain
      can :update, :entries, :approved, :domain => { :user_id => user.id }
    end

The error happens in the after_filter at ine 266:

 263          after_filter(options.slice(:only, :except)) do |controller|
   264            break if options[:if] && !controller.send(options[:if])
=> 265            break if options[:unless] && controller.send(options[:unless])
   266            unless controller.current_ability.fully_authorized? controller.params[:action], controller.params[:controller]
   267              raise CanCan::InsufficientAuthorizationCheck, "Authorization check is not sufficient for this action. This is probably because you have conditions or attributes defined in Ability and are not checking for them in the action. One way to solve this is adding load_and_authorize_resource to this controller."
   268            end
   269          end

controller.params[:action], controller.params[:controller] = 'update', 'domains'

In the debuuger I fid this:

(rdb:1) pp controller.current_ability
#<Ability:0xb5f466d0
 @aliases=
  {:subjects=>{},
   :actions=>
    {:read=>[:index, :show],
     :create=>[:new],
     :update=>[:edit],
     :destroy=>[:delete]}},
 @rules=
  [#<CanCan::Rule:0xb5f46630
    @actions=[:read],
    @attributes=[:name, :entries],
    @base_behavior=true,
    @block=nil,
    @conditions={:user_id=>2},
    @expanded_actions=[:read, :index, :show],
    @expanded_subjects=[:domains],
    @match_all=false,
    @subjects=[:domains]>,
   #<CanCan::Rule:0xb5f464a0
    @actions=[:read, :update],
    @attributes=[:autoapprove, :use_recaptcha],
    @base_behavior=true,
    @block=nil,
    @conditions={:user_id=>2},
    @expanded_actions=[:read, :index, :show, :update, :edit],
    @expanded_subjects=[:domains],
    @match_all=false,
    @subjects=[:domains]>,
   #<CanCan::Rule:0xb5f4634c
    @actions=[:read],
    @base_behavior=true,
    @block=nil,
    @conditions={:domain=>{:user_id=>2}},
    @expanded_actions=[:read, :index, :show],
    @expanded_subjects=[:entries],
    @match_all=false,
    @subjects=[:entries]>,
   #<CanCan::Rule:0xb5f46298
    @actions=[:read],
    @attributes=[:domain],
    @base_behavior=false,
    @block=nil,
    @conditions={},
    @expanded_actions=[:read, :index, :show],
    @expanded_subjects=[:entries],
    @match_all=false,
    @subjects=[:entries]>,
   #<CanCan::Rule:0xb5f46108
    @actions=[:update],
    @attributes=[:approved],
    @base_behavior=true,
    @block=nil,
    @conditions={:domain=>{:user_id=>2}},
    @expanded_actions=[:update, :edit],
    @expanded_subjects=[:entries],
    @match_all=false,
    @subjects=[:entries]>]>

What happens is this: I show a form, where I show a domain and try to update the autoapprove checkbox.
My update method in the controller looks like this:

# :update updates a specific attribute from an object.
  def update
    @object = @Klass.find(params[:id])
    @attribute = params[:attribute]
    @form_element = params[:form_element]
    @sub_id = params[:sub_id]
    @update_span = params[:update]
    send("#{@form_element.to_s}_update", @object, @attribute)
    @object.save
    respond_to do |format|
    debugger
      format.js { }
    end
  end

So, everything happens up to the rendering. The value is saved to the object nicely.
But when the after_filter kicks in, it throws this InsufficientAuthorizationCheck exception.

Any ideas on why?
@acesuares
Copy link
Author

I don't get it. I uncommented line #267, just to be able to proceed.

@xhoy
Copy link

xhoy commented Apr 10, 2014

Dear submitter, Since cancan/raynB hasn't been active for more than 6 months and no body else then ryam himself has commit permissions the cancan project is on a stand still.
Since cancan has several issues including missing support for rails 4 cancan is moving forward to cancancan. More details on: #994

If your feel that your pull request or bug is still applicable (and hasn't been merged in to cancan) it would be really appreciated if you would resubmit it to cancancan (https://github.com/cancancommunity/cancancan)

We hope to see you on the other side!

@acesuares
Copy link
Author

Great, @xhoy looking forward to improvements!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acesuares @xhoy