Module: Pageflow::ActiveAdminCanCanFix Private
- Included in:
- AbilityMixin
- Defined in:
- lib/pageflow/active_admin_can_can_fix.rb
Overview
This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.
ActiveAdmin passes class objects to CanCan when authorizing access to the “index” and “new resource” pages. CanCan does not evaluate ‘can` blocks when classes are passed as subjects. Since the above code relies on block evaluation for all but the `admin` case, this causes “new” buttons and menu items to be displayed even though access should not be permitted.
see also github.com/activeadmin/activeadmin/issues/5144
Detect these cases and pass the collection name as subject instead. To prevent collision with existing cases, rename actions:
:read, User -> :index, :users
:create, User -> :create_any, :users
Instance Method Summary collapse
- #can?(action, subject) ⇒ Boolean private
Instance Method Details
#can?(action, subject) ⇒ Boolean
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# File 'lib/pageflow/active_admin_can_can_fix.rb', line 19 def can?(action, subject) if [:read, :new, :create].include?(action) && [Entry, Account, User].include?(subject) collection_name = subject.name.demodulize.underscore.pluralize.to_sym if action == :read super(:index, collection_name) else super(:create_any, collection_name) end else super end end |