You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that the attributes passed to can are only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to #index and #show actions.
When Ability restricts access to attributes on a :read action, the controller helpers for #index and #show should automatically select only the subset of attributes that are permitted.
Actual behavior
The resources assigned by load_and_authorize_resource include all attributes of the model, even ones that should not be accessible
System configuration
Rails version: 7.1
Ruby version: 3.3.2
CanCanCan version: 3.5.0
The text was updated successfully, but these errors were encountered:
Steps to reproduce
It appears that the attributes passed to
canare only used by ControllerResourceBuilder but not by ControllerResourceFinder, so restrictions on accessible attributes are not automatically applied to#indexand#showactions.See gist: https://gist.github.com/afn/441dfcf4ddc751b82f09af11bb356ba2
Expected behavior
When Ability restricts access to attributes on a
:readaction, the controller helpers for#indexand#showshould automatically select only the subset of attributes that are permitted.Actual behavior
The resources assigned by
load_and_authorize_resourceinclude all attributes of the model, even ones that should not be accessibleSystem configuration
Rails version: 7.1
Ruby version: 3.3.2
CanCanCan version: 3.5.0
The text was updated successfully, but these errors were encountered: