CanCan populating the primary key of User

[zoer]

Setup:
Rails 4.0.2
Mongoid 4
CanCan 1.6.10

Objective
Change user2 email to superman@bb.cc

class Ability
  include CanCan::Ability

  def initialize(user)
    can :update, User, id => user.id # if current_user

    if admin?
        can :update, User
    end
  end

  #...
end

class User
  include Mongoid::Document

  field :email
  field :name
  # ...
end

We have 2 records in DB
Currently logged user with admin rights:

{
  "_id" : ObjectId("52c1f3646d6b005564000001"),
  "name": "admin",
  "email", "aa@bb.cc",
  ...
}

User for edit

{
  "_id" : ObjectId("52c1f3646d6b005564000002"),
  "name": "user2",
  "email", "bb@bb.cc",
  ...
}

When we are trying to change email of user2 through the rails_admin, changed admin email instead of user2. When I dive to rails_admin edit action code, I discovered for this lines:

@authorization_adapter && @authorization_adapter.attributes_for(:update, @abstract_model).each do |name, value|
  @object.send("#{name}=", value)
end

evaluate to this:

# @object.id is "52c1f3646d6b005564000002"
@object.send("id=", "52c1f3646d6b005564000001") # set the current logged user.id

because I have cancan rule can :update, User, id => user.id

as a workaround I just change rule to this:

can :update, User do |object|
   object.id == user.id
end

and all work as expected.

I think that you should know about this behavior.

[bbenezech]

class Ability
  include CanCan::Ability

  def initialize(user)
    can :update, User, id: user.id
  end
end

2.0.0-p247 :015 >  a = Ability.new(User.first)
 => #<Ability:0x007feb9f97a5f8 @rules=[#<CanCan::Rule:0x007feb9f97a580 @match_all=false, @base_behavior=true, @actions=[:update], @subjects=[User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, sign_in_count: integer, current_sign_in_at: datetime, last_sign_in_at: datetime, current_sign_in_ip: string, last_sign_in_ip: string, password_salt: string, created_at: datetime, updated_at: datetime, avatar_file_name: string, avatar_content_type: string, avatar_file_size: integer, avatar_updated_at: datetime, roles: string)], @conditions={:id=>1}, @block=nil>]>
2.0.0-p247 :008 > a.attributes_for :new, User
 => {}
2.0.0-p247 :009 > a.attributes_for :edit, User
 => {:id=>1}

Cancan behavior looks ok.

Now about us.

1. RailsAdmin should not show links to unauthorized records [OK]
2. RailsAdmin should not show 'new' links to models with forced primary key [KO]
3. RailsAdmin should not authorize access to unauthorized records [??]
4. RailsAdmin should not authorize access to 'new' links to models with forced primary key [KO]
5. RailsAdmin should not authorize update on records with wrong primary key [KO, tries to set it]
6. RailsAdmin should not authorize create on models with forced primary key [KO, tries to set it]

[MrOrz]

Encountered exactly the same issue. It seems that someone has met the same bug before. ( #1067 )

The following line digs in the hash conditions in cancan and somehow fills in the admin's information.

@authorization_adapter.attributes_for(:update, @abstract_model)

Relevant setup in my ability.rb:

can :update, Article, author_id: @current_user.id
can :update, User, id: @current_user.id

Whenever I edit an article with empty author inside RailsAdmin, I become the author of the article.
Whenever I edit any user, my user attributes are edited, leaving intact the user I want to edit.

After changing the hash condition to the verbose block definition, it would work fine.

If this is the intended behavior (for setting up default values?), I think at least it should be documented in the wiki.

[MrOrz]

FYI, this is my setup:

rails 3.2.16
activerecord 3.2.16
rails_admin 0.4.9
cancan 1.6.10

(yeah they are pretty old, but still have these problem.)

[mbixby]

If anybody encounters this, re-check your abilities first. I mistakenly specified primary instead of foreign key, i.e. can :manage, Model, id: @user.company_id instead of can :manage, Model, company_id: @user.company_id, leading to this error.

[cec]

Also related to #1203 and PR #1243 which proposed a hackish workaoround.

@bbenezech I'm pasting here my comment to the PR to have all information in one single non-closed issue (I'm sorry for the duplication, I hadn't found this issue before).

RailsAdmin should not authorize access to unauthorized records [??]

I think that this issue happens when using a role-based authorisation model with hierarchical models: higher roles inherit abilities from lower roles.

For example, imagine two roles: guest, admin.
Where guest users can :edit their own user only (there is a can rule matching on their id).
Admin users can manage all other users.

In this case, if admin a tries to edit a user u1, authorization_adapter will end up trying to set the id of u1 to the id of a.

To me, a scenario where guests can "edit their profile" and admins can do anything is common sense.

From what I read in #1067, the current solution/workaround is to replace hash condition with a block, which is what I will do now.

However it would be nice to know the logic behind this behaviour in order to not fall back into this issue later.

Thanks!