0

I set some files using Paperclip expiring_url. Those are working fine.

I try using CanCan 2.0 to allow expiring_url only to signed members using the following code

# /app/models/ability.rb
class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new  # guest user
    can :read, :movies
    cannot :read, :movies, :expiring_url

    if user.persisted?
      can :read, :movies, :expiring_url
    end

  end
end

My MoviesController.rb has load_and_authorize_resource still all users are being able to download the movie.

expiring_url is not an attribute of Movie and I can see that is the reason why is not working. I'm not sure how can specify the paperclip expiring_url object associated to this in order to make it work.

Any idea how to do this?

Martin
  • 11,216
  • 23
  • 83
  • 140

2 Answers2

2

Cancan apparently requires the conditions to be actual database columns, according to the statement on this page:

It is important to only use database columns for these conditions

This isn't a limitation in paperclip, it's cancan (which I love quite a bit, don't get me wrong).

djcp
  • 699
  • 1
  • 6
  • 6
0

I use CanCan 1.6.x, but under Defining Abilities in the 2.0 docs, Ryan says

The current_user is passed in allowing you to define permissions based on user attributes.

so if you have a current_user would not something like below work for you?

if user
  can :read, :movies, :expiring_url
else
  can :read, :movies
end

Can you provide more info about what "expiring_url" is? I just realized the above probably won't work for you either since expiring_url doesn't sound like a model.

memoht
  • 781
  • 5
  • 17