Running dangerous :show permission when the resource name is passed and mismatch the controller name

[enmanuelm19]

Steps to reproduce

When creating a custom controller and delegating permissions on another resource, the resource is treated as a parent and defaulting the action to :show instead of the controller's action.

# ability.rb
def initialize(user)
  can :read, Book
  can :update, Book do
    user.is_admin
  end
end

class BookServices < ApplicationController
  load_and_authorize_resource :book 

  def update
    head :no_content
  end
end

A non admin user can perform the :update action when it shouldn't.

Expected behavior

It should delegate the permissions on the resource set in the helper.

• A permission set for the :book should be checked against when setting the name of the resource in the helper

Actual behavior

It applies the :show action permission because is hard coded unless you set the parent_action: option

System configuration

Rails version: 5.2.2

Ruby version: 2.7.0

CanCanCan version: 3.3.0

[enmanuelm19]

I have a PR up to fix this.

If run authorization against the :show action is actually intended, at least a section in the documentation should be present to warn people that setting the resource on the load_and_authorize_resource helper without setting the parent_action: option and in controller named differently that the resource will cause authorization always check to the :show action which is pretty permissive in general.

[coorasse]

I agree completely with the point, but I disagree with the fix. I believe the load_and_authorize_resource :book should recognise that :book is actually not a parent.

[enmanuelm19]

I agree completely with the point, but I disagree with the fix. I believe the load_and_authorize_resource :book should recognise that :book is actually not a parent.

Ok, let me close the PR with this comment, I'll come back later to have a better fix for this.