inconsistent behaviour with Hash subjects

[christian-toscano]

Hi everyone, I'm having a few issues using cancancan with graphql-ruby, I've opened a issue on that project too but I'm here to ask if this is the expected behaviour and if you can suggest a way to handle it.

issue on graphql-ruby

When I check permissions this hash:

{
	search: Search.new, # an active record model
	configuration: { my_field: 1 }
}

I receive the hash inside the Ability block that should check permissions on the Search type

can :read, Search do |search|
	# search is a Hash instead of a Search
end

because the code is changing the subject using subject = subject.values.first if subject.class == Hash but it passes the old subject to the validation block

Steps to reproduce

this code shows the issue, it will print Hash since we are receiving a Hash instead of a Search

class Search < ActiveRecord::Base
end

class Ability
  include CanCan::Ability

  attr_accessor :user

  def initialize
    can :read, Search do |search|
      puts search.class
      true
    end
  end
end

Ability.new.can?(:read, { search: Search.new, configuration: {field: 'hello' }})

Expected behavior

I expected the can :read, Search to be called with a Search

Actual behavior

can :read, Search is being called with a Hash

System configuration

Rails version:
6.1.7

Ruby version:
3.0.2

CanCanCan version
cancancan 3.4.0