You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CC logic is highly dependent on curation_concerns_type=. Unfortunately that method relies on CanCan side-effects via load_and_authorize_resource (namely the addition of before_actions).
The ramification of this pattern is that inheritance in downstream controllers (where a child might want to override the type) is impossible to do cleanly. The filters are aggregated because of LAAR, meaning the security is broken.
At a minimum, CC should check in curation_concerns_type= to see if _curation_concerns_type is already set and raise if so, since the results of compounding side-effects cannot be what the user desires. (I think it would even result in curation_concern being set twice during a request.)
More broadly, I would love to see a reworking by which curation_concerns_type= is replaced so that inheritance can still be practiced with downstream controllers. (The timing of the LAAR is still tricky though.)
The text was updated successfully, but these errors were encountered:
CC logic is highly dependent on
curation_concerns_type=. Unfortunately that method relies on CanCan side-effects viaload_and_authorize_resource(namely the addition ofbefore_actions).Code in question here:
https://github.com/projecthydra/curation_concerns/blob/aa46cbd2da3123ffbf11612395f0bbc8dbc613ac/app/controllers/concerns/curation_concerns/curation_concern_controller.rb#L23
The ramification of this pattern is that inheritance in downstream controllers (where a child might want to override the type) is impossible to do cleanly. The filters are aggregated because of LAAR, meaning the security is broken.
At a minimum, CC should check in
curation_concerns_type=to see if_curation_concerns_typeis already set and raise if so, since the results of compounding side-effects cannot be what the user desires. (I think it would even result incuration_concernbeing set twice during a request.)More broadly, I would love to see a reworking by which
curation_concerns_type=is replaced so that inheritance can still be practiced with downstream controllers. (The timing of the LAAR is still tricky though.)The text was updated successfully, but these errors were encountered: