Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

don't override Ability.ability_logic on include #523

Open
no-reply opened this issue Dec 29, 2020 · 0 comments
Open

don't override Ability.ability_logic on include #523

no-reply opened this issue Dec 29, 2020 · 0 comments

Comments

@no-reply
Copy link

no-reply commented Dec 29, 2020
edited
Loading

Descriptive summary

When Hydra::Ability is included in a class, it overrides all existing ability_logic entries (at https://github.com/samvera/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb#L16). avoid this.

Rationale

Overriding existing ability logic entries silently removes important permissions behavior in the application. This unexpected behavior can occur for reasons as simple as including this module in the "wrong" order.

Expected behavior

class Ability
  self.ability_logic = [:my_custom_ability_hook, :other_ability_hook]
  include Hydra::Ability
end

Ability.ability_logic.include?(:my_custom_ability_hook) # => true

Actual behavior

Ability.ability_logic.include?(:my_custom_ability_hook) # => false

Steps to reproduce the behavior

the easiest way to realistically reproduce is to do something like

class Ability
  include Blacklight::AccessControls::Ability
  self.ability_logic = [:my_custom_ability_hook]
  # more logic here
  # ...
  # and so on
  include Hydra::Ability
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
hydra-head
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@no-reply