Bug in create_personal_snippet ability
Summary
The create_personal_snippet
ability is set inside the PersonalSnippetPolicy
. This means that the ability is scoped under a Snippet
object. Nevertheless,
this ability should be outside that policy since it represents the ability to create a new Snippet
(for example to show the Create Snippet
button).
Besides this, the New Snippet
button doesn't check that ability, therefore it's shown even when the user doesn't have enough access rights.
Furthermore, in the SnippetsController
we don't check this ability either for new
and create
actions.
At the moment, we don't seem to have many problems regarding this because the create_personal_snippet
policy applies mostly to anonymous
users, and
for most of the actions, the user has to be logged.
What is the current bug behavior?
If we check for the create_personal_snippet
in the user's policy we get:
> UserPolicy.new(user, user).debug(:create_personal_snippet) => #<DeclarativePolicy::Runner::State:0x00007fd5b1479260 @enabled=false, @prevented=true>
If we wanted to check this ability we would have to:
> PersonalSnippetPolicy.new(user, nil).debug(:create_personal_snippet) => #<DeclarativePolicy::Runner::State:0x00007fd58257b408 @enabled=false, @prevented=true>
Log in with a user not allowed to create personal snippets, you would be able to see the New Snippet
button and also create snippets.
What is the expected correct behavior?
Buttons will be shown only when the user has the create_personal_snippet
ability.
Also, move the abilities to the UserPolicy
to avoid passing a nil
snippet to PersonalSnippetPolicy
.