-1

I have a basic authorization class in a Rails application which looks like this:

class Ability
  include CanCan::Ability

  def initialize(user)

   if user
     can :access, :rails_admin       # only allow admin users to access Rails Admin
     can :dashboard
     if user.admin?
       can :manage, :all
     else
       can :manage, [Agreement, Attachment, Contact, Deadline, Event, Image, Photo, Project, Submission, Talk]
       can :update, User, id: user.id
     end
   end

   # Current user cannot delete his account
   cannot :destroy, User, id: user.id
  end
end

Now, I get an unauthorized error when trying to access the dashboard with a simple user, but once I put can :manage, :all for a simple user condition it is misteriouslly let through and see the dashboard.

What is :manage, :all having more than :manage, [All_my_tables] and why is my user not let in using this way?

Vlad Balanescu
  • 664
  • 5
  • 27
  • 3
    **https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities** – Tom Lord May 26 '17 at 10:33
  • Thank you for sharing me the wiki, but I have been through that page already and if I would find my answer there I won't post a question here – Vlad Balanescu May 26 '17 at 10:35
  • *"I get an unauthorized error when trying to access the dashboard"* -- Is this not because you've written `can :dashboard` instead of `can :read, :dashboard`? Or if not, could you be more specific about what action the user is being unauthorized for? (What's in the controller?) – Tom Lord May 26 '17 at 10:40
  • As long as that works for an admin, what makes you think that's the line failing? I was very specific, I said by using the code above, a `simple user` cannot login, but once I do `can :manage, :all` for a simple user, all works – Vlad Balanescu May 26 '17 at 10:44
  • `:manage` and `:all` have a special meaning, to allow every action on every controller. So of course an admin can access the dashboard. As to why a non-admin cannot have access, I can't be sure (*what's in the controller??*). My guess is that in order to view the dashbaord, you must have the `:read, :dashboard` permission -- which you have not given to non-admin users. – Tom Lord May 26 '17 at 10:47
  • That controller is coming from rails_admin, I don't have a user controller, because I am using Devise. Even if I give `:manage` action to the dashboard for a regular user still doesn't work – Vlad Balanescu May 26 '17 at 10:50
  • @TomLord: apparently, the `can :dashboard` thing is recommended by [rails_admin wiki](https://github.com/sferik/rails_admin/wiki/Cancancan) – Sergio Tulentsev May 26 '17 at 11:26
  • `:dashboard` is an action, not a resource. I would pry into `https://github.com/sferik/rails_admin/blob/master/lib/rails_admin/extensions/cancancan/authorization_adapter.rb` and see what is getting passed to `@controller.current_ability` – fylooi May 26 '17 at 15:02

1 Answers1

0

Here is the answer, I just need to to :manage, :all for a simple user and then override the permissions.

class Ability
  include CanCan::Ability

  def initialize(user)

     #Check if the user is logged in
     if user
       #Grant access to the dashboard
       can :access, :rails_admin
       can :dashboard
       can :manage, :all

       #Simple user permissions set here
       if !user.admin?
         alias_action :create, :update, :destroy, to: :cud

         can :manage, :all
         cannot :cud, User
         cannot :destroy, [Agreement, Submission]
       end
     end

     can :update, User, id: user.id     #User can edit his/her own account
     cannot :destroy, User, id: user.id #User cannot delete his/her own account
  end
end

Thanks for the down votes, but this question has been well researched before coming here

Vlad Balanescu
  • 664
  • 5
  • 27