diff options
Diffstat (limited to 'app/finders/concerns/finder_methods.rb')
| -rw-r--r-- | app/finders/concerns/finder_methods.rb | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/app/finders/concerns/finder_methods.rb b/app/finders/concerns/finder_methods.rb index 8de3276184d..622cbcf4928 100644 --- a/app/finders/concerns/finder_methods.rb +++ b/app/finders/concerns/finder_methods.rb @@ -30,7 +30,7 @@ module FinderMethods def if_authorized(result) # Return the result if the finder does not perform authorization checks. # this is currently the case in the `MilestoneFinder` - return result unless respond_to?(:current_user) + return result unless respond_to?(:current_user, true) if can_read_object?(result) result @@ -44,9 +44,14 @@ module FinderMethods # for Todos return true unless DeclarativePolicy.has_policy?(object) - model_name = object&.model_name || model.model_name + Ability.allowed?(current_user, :"read_#{to_ability_name(object)}", object) + end + + def to_ability_name(object) + return object.to_ability_name if object.respond_to?(:to_ability_name) - Ability.allowed?(current_user, :"read_#{model_name.singular}", object) + # Not all objects define `#to_ability_name`, so attempt to derive it: + object.model_name.singular end # This fetches the model from the `ActiveRecord::Relation` but does not |