Module: Pageflow::ActiveAdminCanCanFix Private

Included in:
AbilityMixin
Defined in:
lib/pageflow/active_admin_can_can_fix.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

ActiveAdmin passes class objects to CanCan when authorizing access to the “index” and “new resource” pages. CanCan does not evaluate ‘can` blocks when classes are passed as subjects. Since the above code relies on block evaluation for all but the `admin` case, this causes “new” buttons and menu items to be displayed even though access should not be permitted.

see also github.com/activeadmin/activeadmin/issues/5144

Detect these cases and pass the collection name as subject instead. To prevent collision with existing cases, rename actions:

:read, User  ->  :index, :users
:create, User  ->  :create_any, :users

Instance Method Summary collapse

Instance Method Details

#can?(action, subject) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

  • (Boolean)


19
20
21
22
23
24
25
26
27
28
29
30
31
32
# File 'lib/pageflow/active_admin_can_can_fix.rb', line 19

def can?(action, subject)
  if [:read, :new, :create].include?(action) &&
     [Entry, Account, User].include?(subject)
    collection_name = subject.name.demodulize.underscore.pluralize.to_sym

    if action == :read
      super(:index, collection_name)
    else
      super(:create_any, collection_name)
    end
  else
    super
  end
end