Authorizations and Groups with Rails and CanCanCan

Question

I have a User and an Organization model with a many-to-many association, via a Membership model. Users (there are no roles) should only be able to create, read, and update Organizations to which they belong as members.

I've put the following in from CanCanCan's Ability class and have a load_and_authorize_resource on the Organization model.

can [:create, :read, :update], Organization do |organization|
    !(organization.memberships & user.memberships).empty?
end

When I load /organizations (index page), @organizations is nil.

When I set @organizations = Article.accessible_by(current_ability) I get the following error:

The accessible_by call cannot be used with a block 'can' definition. The SQL cannot be determined for :index Organization(id:integer...

The docs mention advice to use SQL, but I don't quite understand how.

score 0 · Answer 1 · answered May 03 '15 at 06:29

It looks like this line was part of the problem.

!(organization.memberships & user.memberships).empty?

I went with the version below which appears simpler and correct.

organization.memberships.pluck(:user_id).include?(user.id)

The error remains when calling accessible_by(current_ability) with a block, but I was able to workaround with Devise's current_user method.

Authorizations and Groups with Rails and CanCanCan

1 Answers1