Do not leak all elements for guest user in API

CanCanCan does not respect any scope set before `accessible_by`. We need to make sure the additional scopes get called afterwards.
AlchemyCMS · Jul 1, 2021 · 89388e8 · 89388e8
1 parent 0b24271
commit 89388e8
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/app/controllers/alchemy/api/elements_controller.rb b/app/controllers/alchemy/api/elements_controller.rb
@@ -9,17 +9,20 @@ class Api::ElementsController < Api::BaseController
     # If you want to only load a specific type of element pass ?named=an_element_name
     #
     def index
+      # Fix for cancancan not able to merge multiple AR scopes for logged in users
+      if cannot? :manage, Alchemy::Element
+        @elements = Alchemy::Element.accessible_by(current_ability, :index)
+      else
+        @elements = Alchemy::Element.all
+      end
+
       if params[:page_id].present?
         @page = Page.find(params[:page_id])
-        @elements = @page.elements.not_nested
+        @elements = @elements.where(page: @page).not_nested
       else
-        @elements = Element.not_nested.joins(:page_version).merge(PageVersion.published)
+        @elements = @elements.not_nested.joins(:page_version).merge(PageVersion.published)
       end
 
-      # Fix for cancancan not able to merge multiple AR scopes for logged in users
-      if cannot? :manage, Alchemy::Element
-        @elements = @elements.accessible_by(current_ability, :index)
-      end
       if params[:named].present?
         @elements = @elements.named(params[:named])
       end