can? should return false when there are no attributes that the current user can perform action on #816

michaelcohenunsw · 2023-02-06T23:11:26Z

Steps to reproduce

In the scenario where the current user has the ability to only edit/update certain attributes on a user model. If the current user has the "admin" role and @user has a role other than the "applicant" role, then using the can? doesn't seem to return the correct result. I can workaround the issue by changing can?(:update, @user) with @current_ability.permitted_attributes(:update, @user).any? in the user edit view template.

Please copy the following Gist and edit it to reproduce your issue: https://gist.github.com/michaelcohenunsw/c2dfb85ba36416aa7884672d8f588eab

Expected behavior

current_ability.permitted_attributes(:update, @user)
=> []
can? :update, @user
=> false

Actual behavior

current_ability.permitted_attributes(:update, @user)
=> []
can? :update, @user
=> true

System configuration

Rails version: 6.0.6.1

Ruby version: 2.7.6

CanCanCan version: 3.4.0

The text was updated successfully, but these errors were encountered:

coorasse · 2024-05-23T15:17:32Z

Could you help me by adding a new test case? Thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

can? should return false when there are no attributes that the current user can perform action on #816

can? should return false when there are no attributes that the current user can perform action on #816

michaelcohenunsw commented Feb 6, 2023 •

edited

Loading

coorasse commented May 23, 2024

can? should return false when there are no attributes that the current user can perform action on #816

can? should return false when there are no attributes that the current user can perform action on #816

Comments

michaelcohenunsw commented Feb 6, 2023 • edited Loading

Steps to reproduce

Expected behavior

Actual behavior

System configuration

coorasse commented May 23, 2024

michaelcohenunsw commented Feb 6, 2023 •

edited

Loading