<a action="new"> checks permissions without params
Reported by Tiago Franco | January 24th, 2009 @ 12:14 PM
The following tag:
gets permissions checked for a model with requestee nil.
Detailed explanation.
See the code taken from the tag definition in hobo's core:
... target = to || this if target.nil? ... elsif action == "new"
new_record = target.new
new_record.set_creator(current_user)
href = object_url(target, "new", params._?.merge(:subsite => subsite))
if href && can_create?(new_record)
...
The new_record passed to can_create? should have requestee_id set.
Comments and changes to this ticket
-
Tiago Franco January 24th, 2009 @ 12:16 PM
This ticket was formatted all wrong. If there is trouble understanding the content, please let me know.
-
Tom Locke March 12th, 2009 @ 11:08 AM
- State changed from new to investigating
Yeah - can you add a comment with the formatting fixed
-
Tom Locke March 13th, 2009 @ 03:57 PM
- State changed from investigating to resolved
Turned out I could read it from the index page using the tool-tip : )
We're trying to avoid
<a>
getting too complex, so I've just added a force attribute<a action='new' force>
to override the permission check.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป