Skip to content

Commit

Permalink
Do not leak all pages for guest users in API controller
Browse files Browse the repository at this point in the history
CanCanCan does not respect any scope set before `accessible_by`.
We need to make sure the additional scopes get called afterwards.
  • Loading branch information
tvdeyen committed Jul 1, 2021
1 parent f4f9b58 commit 0b24271
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions app/controllers/alchemy/api/pages_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ class Api::PagesController < Api::BaseController
# Returns all pages as json object
#
def index
@pages = Language.current&.pages.presence || Alchemy::Page.none
# Fix for cancancan not able to merge multiple AR scopes for logged in users
if cannot? :edit_content, Alchemy::Page
@pages = @pages.accessible_by(current_ability, :index)
@pages = Alchemy::Page.accessible_by(current_ability, :index)
@pages = @pages.where(language: Language.current)
else
@pages = Language.current&.pages.presence || Alchemy::Page.none
end
@pages = @pages.includes(*page_includes)
@pages = @pages.ransack(params[:q]).result
Expand Down

0 comments on commit 0b24271

Please sign in to comment.