Batch actions use wrong context #8923

heaven · 2025-10-21T18:23:32Z

heaven
Oct 21, 2025

In the initializer, we set the ability class explicitly, which is used to authorize most of the UI

# You can customize your CanCan Ability class name here.
config.cancan_ability_class = "Ability::Admin"

But when adding bulk actions, the ability is "Ability", which is wrong. And the actions don't work properly. The current_ability is Ability in both places. Therefore, neither can? nor batch_action_collection works properly (the latter adds this to the query AND (TRUE=FALSE) AND).

batch_action :publish, confirm: "Are you sure?", if: proc { |*args|
  debugger
  true
} do |ids, *args|
  debugger
  redirect_back fallback_location: collection_path(params.permit(q: {})), alert: "Published successdfully!"
end

Expected behavior

Should use the ability defined in the initializer.

Actual behavior

The action runs in the wrong context, improperly authorized.

How to reproduce

Add a batch action in an application that has multiple ability classes, where the Ability one is not intended for Admin users.

heaven · 2025-10-21T18:57:53Z

heaven
Oct 21, 2025
Author

My findings:

Use authorized? instead of can?, which uses the proper ability class.
Use accessible_by instead of batch_action_collection .

Here's a working example

batch_action :publish, confirm: "Are you sure?", if: proc { authorized? :publish, Payments::Product } do |ids, *args|
  Payments::Product.transaction do
    Payments::Product.accessible_by(active_admin_authorization.cancan_ability, :publish).where(id: ids).
      find_each(batch_size: 10) { |product| product.update!(published: true) }
  end

  redirect_back fallback_location: collection_path(params.permit(q: {})), alert: "Published successdfully!"
end

The docs are misleading https://activeadmin.info/9-batch-actions.html#creating-your-own

0 replies

javierjulio · 2025-10-21T19:43:23Z

javierjulio
Oct 21, 2025
Maintainer

@heaven thank you. Fixing this as a bug and/or a documentation update will be dependent on your contribution. We are open to a PR to resolve it.

Using authorized? is the expected approach but I can see why can? was used since that's referenced in the documentation. Feel free to submit an update for that to use authorized? instead. There are other instances that will need to be updated or removed.

I'm not familiar with CanCanCan, sorry. I use Pundit. I don't see any issue doing that without the helper since that is valid. I've done both. I don't think the documentation is misleading in that it's meant to handle every possibility either. I would suggest adding an example to use a manual query as another option in the docs. The other would be for you to review what the issue is with batch_action_collection and submit a bug fix or feature update.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Batch actions use wrong context #8923

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Batch actions use wrong context #8923

Uh oh!

heaven Oct 21, 2025

Expected behavior

Actual behavior

How to reproduce

Replies: 2 comments

Uh oh!

heaven Oct 21, 2025 Author

Uh oh!

Uh oh!

javierjulio Oct 21, 2025 Maintainer

heaven
Oct 21, 2025

heaven
Oct 21, 2025
Author

javierjulio
Oct 21, 2025
Maintainer