Abilities with accepts_nested_attributes #774
Comments
hidr0
changed the title
|
In our case, we are permitting the nested attribute parameter in the Rails controller, e.g. def foo_params
params.require(:foo).permit(:something, { children: [:name] })
endHowever, we then get an error: ActiveRecord::AssociationTypeMismatch:
Child(#158640) expected, got { name: "hello" } which is an instance of ActiveSupport::HashWithIndifferentAccess(#158660)I think this is because CanCanCan's class Foo < ApplicationRecord
has_many :children
accepts_nested_attributes_for :children
# Work around a CanCanCan issue with accepts_nested_attributes_for.
# https://github.com/CanCanCommunity/cancancan/issues/774
def children=(array)
super(array.map { |o| o.is_a?(Hash) ? Child.new(o) : o })
end
endThis then allows us to verify child attributes in our can :create, Foo, children: { visible_to: current_user.id }The above rule would only allow users to call the It would be great if CanCanCan could figure out where it needs to instantiate child objects, rather than just pass a hash so that this workaround isn't needed. |
Hello we are trying to write an ability for a model which accepts_nested_attributes.
And I was wondering if CanCanCan can do this.
Our check is simple:
parent: { nested: { user_id: user.id}}}But this does not work, because:
newCanCanCan builds the parent object only andparent.nested == nil(so we always get Unauthorised)updateCanCanCan loads the object from the database which means that we are not comparing the ability on the nested object. ( so we always get Authorised)Are we supposed to use CanCanCan to check for abilities using
accepts_nested_attributesor use another kind of check? We were thinking of deploying model validations, but it really made sense if you try to create a nested object for the wrong user to be a CanCanCan Ability check.The text was updated successfully, but these errors were encountered: