Skip to content

v2.0.0 — Bugfix that is a breaking change
Compare
Choose a tag to compare
@valscion valscion released this 04 Mar 10:28
· 22 commits to master since this release
v2.0.0
c7b6907
This commit was signed with the committer’s verified signature.
valscion Vesa Laakso
GPG key ID: C51E3DEB710808F1
Learn about vigilant mode.

@Matthijsy found out about a missing policy check in #111 and later on contributed a quality fix for it #113

This bugfix can break your application as we now authorize for more cases, so as a precaution, we're bumping the major version to indicate a backwards incompatible change:

Breaking change: Update of relationship endpoints

This version introduces a change in the checking when accessing a relationship endpoint (for example GET /users/1/addresses).

In the previous version only the source_record.show? was checked and the relationship was scoped:

UserPolicy.new(current_user, User.find(1)).show?

addresses_returned =
  AddressPolicy::Scope.new(current_user, User.find(1).addresses).resolve

Starting with this version also the relationship.index? method is checked to verify if a user is allowed to view this relationship at all:

UserPolicy.new(current_user, User.find(1)).show?

# This is the breaking change!
AddressPolicy.new(current_user, Address).index?

addresses_returned =
  AddressPolicy::Scope.new(current_user, User.find(1).addresses).resolve
Assets 2
Loading