Skip to content

Commit

Permalink
Do not leak all pages for guest users in API controller
Browse files Browse the repository at this point in the history
CanCanCan does not respect any scope set before `accessible_by`.
We need to make sure the additional scopes get called afterwards.
  • Loading branch information
tvdeyen authored and afdev82 committed Aug 16, 2021
1 parent 59467e8 commit 95f5c3e
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions app/controllers/alchemy/api/pages_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ class Api::PagesController < Api::BaseController
# Returns all pages as json object
#
def index
@pages = Language.current&.pages.presence || Alchemy::Page.none
# Fix for cancancan not able to merge multiple AR scopes for logged in users
if cannot? :edit_content, Alchemy::Page
@pages = @pages.accessible_by(current_ability, :index)
@pages = Alchemy::Page.accessible_by(current_ability, :index)
@pages = @pages.where(language: Language.current)
else
@pages = Language.current&.pages.presence || Alchemy::Page.none
end
@pages = @pages.includes(*page_includes)
@pages = @pages.ransack(params[:q]).result
Expand Down

0 comments on commit 95f5c3e

Please sign in to comment.