Children / sub-actions accessible even if object is unauthorized

[bars0um]

Steps to reproduce

This seems like a serious bug, or possibly I'm unable to find the proper documentation to do this correctly.

I have a controller for a class Order that has many OrderItems.

If I setup my controller as follows to perform authorization on the loaded instance variable, the behavior is not as expected when touching child objects or performing custom actions.

The following is the setup I have:

class OrdersController < ApplicationController
  before_action :find_order
  load_and_authorize_resource
  load_and_authorize_resource :order_item, through: :order
...
..
def find_order
    @order = if params[:order_id]
               Order.find(params[:order_id])       
    end

I have a nested route

resources :orders, shallow: true do           
              resources :order_items
              get "status"
            end

reaching the resource directly seems to work as expected when trying to access a resource not owned by the user:

GET https://example.com/orders/10000

RESULTS IN: OrdersController action=show status=403 

however, if I try to access a custom action, unexpectedly I get back the result of that action on the unauthorized object:

GET https://example.com/orders/10000/status.json

RESULT: OrdersController action=status status=200

I can only get the expected behavior if I create my own load and authorize filter:

before_action :set_and_authorize_order

 def set_and_authorize_order
    @order = if params[:order_id]
               Order.find(params[:order_id])          
             end

    authorize! action_name.to_sym, @order
  end

System configuration

Rails version: 6

Ruby version: 2.5

CanCanCan version 3.1.0

[coorasse]

Hi! Thanks for pointing this out. Can you write a gist to reproduce the issue?