In a Rails app which uses JSONAPI::Resources and CanCanCan, I have a Caption model (has_one :video) and a Video model (has_many :captions).
I want to allow guests to only access those captions which belong to a published video: can :read, Caption, video: { visible: true }
However, this is not working. Guests can access all captions by visiting the /captions route. If I remove the above line, guests can't access any caption and receive 401 Unauthorized instead.
We have a few abilities defined in a similar way, and I just can't figure out what's the problem in this case. This specific ability definition seems not to be ignored, but interpreted in a wrong way. This variation also let's guest access all captions:
can :read, Caption do | caption |
false
end
How can I debug this?
To debug your problem, you can take a look at this page of the
cancancangem documentation : https://github.com/CanCanCommunity/cancancan/blob/develop/docs/debugging.mdYou also have the gem
byebugwho is really helpful : https://www.rubydoc.info/gems/byebug/11.1.3