acting_user doesn't work for contained models
Reported by Iain | November 5th, 2009 @ 11:43 PM | in Hobo 1.0 - Final
I have a few situations where I'm cascading CRUD actions on my models through a hierarchy, for example, model A might contain 2 model B's which each contain a model C. Then when I save or delete model A I'd expect that "acting_user" should be the same throughout the whole transaction. Instead what I'm finding is that acting_user is set for model A but not models B or C (it's just nil).
This could have implications for permissions (as by default they look at the acting user) but where it's really affecting me is when I'm creating and deleting the owner/parent object and in the cascade of saves/deletes the acting user is getting lost.
Comments and changes to this ticket
-
Matt Jones November 8th, 2009 @ 06:18 PM
The issue is that while the code in permissions/associations.rb overrides delete_records to pass acting_user, there's a whole different mechanism to destroy records when the parent object is destroyed (configure_dependency_for_has_many in AR's association.rb). This should probably get a similar treatment to delete_records.
-
Tom Locke November 17th, 2009 @ 03:54 PM
- Milestone set to Hobo 1.0 - Final
I'm going to put this on the 1.0 milestone. I know we're on a pretty tight schedule, but this is a fairly fundamental part of Hobo
-
Tom Locke November 17th, 2009 @ 04:04 PM
- State changed from new to open
-
Bryan Larsen November 18th, 2009 @ 02:39 PM
actually, the first part of your side note is fixed in 0.9.0 and the second part is fixed in hjq-input-many, but neither has both fixes. Hmmm, porting hjq-input-many to prototype would be a nice idea to get into for 1.0.... I opened #542 to capture that.
-
Matt Jones November 18th, 2009 @ 11:50 PM
Patch looks good - the only thing I'm not sure about is how to handle cases where cascading destroys should have different permissions than individual destroys. The common case (can't destroy a non-empty containing object) can be handled via the container's destroy_permitted?, but the converse (can't destroy sub-objects but can nuke the whole bunch) doesn't appear to be expressible.
I'm also wondering (although this may be post-1.0) if acting_user might not make more sense as a Thread.current (like current_controller) rather than sitting on the instances. The trick would be figuring out when to set it in the first place...
-
Bryan Larsen November 19th, 2009 @ 02:43 PM
I double checked -- if a contained item does not have permission to be destroyed, a permission denied exception is thrown, and nothing gets destroyed. This seems like the right behavior to me. It's not pretty, but I don't think a pretty solution is the right one -- at this stage it's up to the developer to resolve the issue.
-
Bryan Larsen November 19th, 2009 @ 04:56 PM
- State changed from open to resolved
(from [ade89e51388fdd386432144ac61a72b871cd9f48]) [#528 state:resolved]
Destroying contained models via :dependent => :destroy skips
permission checks.
http://github.com/tablatom/hobo/commit/ade89e51388fdd386432144ac61a...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
People watching this ticket
Attachments
Tags
Referenced by
- 528 acting_user doesn't work for contained models (from [ade89e51388fdd386432144ac61a72b871cd9f48]) [#528 s...
- 567 hobo 0.9.102 fails with cascading destroy on has_one Looks like a variation on the theme of #528 - AR implemen...