Attribute level authorization not working

Question

Attribute level authorization not working

vicwin opened this issue 12 years ago · comments

I have create rule like this in the Role Permit
can read_attributes(:phone, :state), User

and i am getting false by calling:
user_can? read_attributes(:phone, :state), User

and read_attribute return a string like the following:
ruby-1.9.3-p0 :005 > read_attributes(:phone, :state)
=> [:"read_attr_#{name}", :"read_attr_#{name}"]

What did i do wrong here?

Thanks

Kristian Mandrup · Answer 1 · Wed May 30 2012 18:32:01 GMT+0800 (China Standard Time)

looks like the read_attributes functionality isn't working correctly.

Victor Huang · Answer 2 · Thu May 31 2012 00:50:30 GMT+0800 (China Standard Time)

is there a fix for this? i looked at the code and can't find the "read_attributes" method

Kristian Mandrup · Answer 3 · Thu May 31 2012 01:45:03 GMT+0800 (China Standard Time)

See cantango/api/attributes.rb

module CanTango
  module Api
    module Attributes
      [:read, :edit].each do |action|
        define_method :"#{action}_attribute" do |name|
          :"#{action}_attr_\#{name}"
        end

        define_method :"#{action}_attributes" do |*names|
          names.select_symbols.map { |name| send("#{action}_attribute", name) }
        end
      end
    end
  end
end

Should most likely be changed to the following (too much meta-magic before!):

module CanTango
  module Api
    module Attributes
      def read_attribute name
        :"read_attr_#{name}"
      end

      def read_attribute name
        :"edit_attr_#{name}"
      end

      [:read, :edit].each do |action|
        define_method :"#{action}_attributes" do |*names|
          names.select_symbols.map { |name| send("#{action}_attribute", name) }
        end
      end
    end
  end
end

Let me know if it works ;)