how do I specify nested CanCan authorizations with non-standard relationship names?

Question

I'm using Devise for authentication and CanCan for authorization.

the goal

I have two models: User and Sponsorship, where Sponsorship provides a has_many :through relationship between user-as-sponsor and user-as-client.

I want to configure CanCan so a user with sponsor? privileges can manage his or her own Sponsorships, that is, only sponsorships for which Sponsorship#client_id == user.id. A user can also have admin? privileges, in which case he or she can manage any Sponsorship.

the models

class User < ActiveRecord::Base
  has_many :sponsor_links, :class_name => 'Sponsorship', :foreign_key => 'client_id'
  has_many :sponsors, :through => :sponsor_links, :class_name => 'User'

  has_many :client_links, :class_name => 'Sponsorship', :foreign_key => 'sponsor_id'
  has_many :clients, :through => :client_links, :class_name => 'User'

  def has_role?(role)
    ... return true if this user has <role> privileges
  end
end

class Sponsorship
  belongs_to :sponsor, :class_name => 'User'
  belongs_to :client, :class_name => 'User'
end

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new  # handle guest user (not logged in)
    if user.has_role?(:admin)
      can :manage, :all
    elsif user.has_role?(:sponsor)
      # not sure if the third argument is correct...
      can :manage, Sponsorship, :sponsor => {:user_id => user.id}
    end
  end
end

the routes

I've set up nested routes to reflect the fact that a sponsoring user owns his or her clients:

resource :users, :only => [:index]
  resource :sponsorships
end

the question

What's the right way to load and authorize the user and sponsorship resources in my SponsorshipsController?

what I've tried

This is similar to an ordinary nested resource, which CanCan handles easily. But the relations have non-standard names (e.g. :sponsor_links rather than :sponsorships), and I haven't figured out how to configure the load_and_authorize_resource declarations in my SponsorshipsController.

Among the many things I've tried that don't work ;), here's one of the simpler versions. (Note also that my Abilities may not be set up properly -- see above):

class SponsorshipsController < ApplicationController
  load_and_authorize_resource :sponsor_links, :class_name => "User"
  load_and_authorize_resource :sponsorships, :through => :sponsor_links
  respond_to :json

  # GET /users/:user_id/sponsorships.json
  def index
    respond_to @sponsorships
  end

  # GET /users/:user_id/sponsorships/:id.json
  def show
    respond_to @sponsorship
  end
end

By rescuing CanCan::AccessDenied errors, I know that:

In index with a :sponsor user, authentication fails for the User.
In index with an :admin user, authentication fails for the Sponsorship.
In show, regardless of the role, authentication fails for the Sponsorship.

score 1 · Answer 1 · answered Apr 11 '12 at 02:55

a partial answer

First problem was in the Abilities spec, which read:

...if user.has_role?(:sponsor)
  can :manage, Sponsorship, :sponsor => {:user_id => user.id}
end

but should have just been

...if user.has_role?(:sponsor)
  can :manage, Sponsorship, :user_id => user.id
end

(Remember, kids, unit tests are your friend! Somehow I'd forgotten that lesson.)

In the controller, I also changed:

  load_and_authorize_resource :sponsor_links, :class_name => "User"
  load_and_authorize_resource :sponsorships, :through => :sponsor_links

to just

  load_and_authorize_resource :user
  load_and_authorize_resource :sponsorship

This mostly works: it sets up @user and @sponsorship and authorizes access to them. But the index function loads all sponsorships accessible to the current_user, not just those owned by :user_id. My fix -- probably not optimal -- was to rewrite the index function from

  def index
    respond_with(@user, @sponsorships)
  end

to

  def index
    @sponsorships = @sponsorships.where(:sponsor_id => @user.id)
    respond_with(@user, @sponsorships)
  end

With these changes, it all works.

If someone has a more proper way to express this, I'd like to know.