You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #653 the handling of nil with has_many relations was changed. Previously a rule like
can:read,Document,authors: {user_id: nil}
caused can? :read, document to be true only if document has an author with user_id: nil. In 3.5.0 this behavior has changed and can? :read, document will also be true if document has no authors.
I'm not sure what the better behavior is, but this seems like a breaking change as applications using earlier versions may have been depending on the previous behavior.
Upgrading a minor version does not change the behavior of existing rules.
Actual behavior
Upgrading from 3.4.0 to 3.5.0 changed the behavior of existing rules, authorizing users to access resources that they were not previously authorized to access.
System configuration
Rails version:
6.1.7 Ruby version:
2.7.5 CanCanCan version
3.5.0
The text was updated successfully, but these errors were encountered:
Thanks for taking a look @coorasse! #653 did add tests for the new behavior. A test of the previous behavior would now fail, unless #653 was reverted, so I'm not sure what you are suggesting.
What do you think about updating the changelog to warn that #653 is a breaking change? If you have any other suggestions I'd be happy to contribute a PR.
Steps to reproduce
In #653 the handling of
nil
withhas_many
relations was changed. Previously a rule likecaused
can? :read, document
to be true only ifdocument
has an author withuser_id: nil
. In 3.5.0 this behavior has changed andcan? :read, document
will also be true ifdocument
has no authors.I'm not sure what the better behavior is, but this seems like a breaking change as applications using earlier versions may have been depending on the previous behavior.
Gist with a test case: https://gist.github.com/CJStadler/2d6e6644a72286c823d71c3b96b92a80
Expected behavior
Upgrading a minor version does not change the behavior of existing rules.
Actual behavior
Upgrading from 3.4.0 to 3.5.0 changed the behavior of existing rules, authorizing users to access resources that they were not previously authorized to access.
System configuration
Rails version:
6.1.7
Ruby version:
2.7.5
CanCanCan version
3.5.0
The text was updated successfully, but these errors were encountered: