Fixes inherited_resources collection authorization
This reverts e3eab13b86
I don't know what was the idea of that, but it turned out REAL bad.
`collection` sets the collection instance variable. `resource_base` is used all
over CanCan. It's also used inside `load_collection?` which is checked before
`load_collection` is called. That means we actually set the collection instance
variable through inherited_resources (without any authorization whatsoever) before trying to load it through CanCan using `accessible_by`.
1. def load_resource
2. unless skip?(:load)
3. if load_instance?
4. self.resource_instance ||= load_resource_instance
5. elsif load_collection?
6. self.collection_instance ||= load_collection
7. end
8. end
9. end
`collection_instance` is set on line 5 instead of line 6.
This commit is contained in:
Adam Wróbel
@@ -13,7 +13,7 @@ module CanCan
|
||||
end
|
||||
|
||||
def resource_base
|
||||
@controller.send :collection
|
||||
@controller.send :end_of_association_chain
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user