Stack Overflow
Stack Overflow

Questions tagged [cancan]

The CanCan gem offers a straight forward and flexible way to define what a user can and cannot do.

CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access.

CanCan uses a model to define the abilities of a user. Inside the class you declare what a user can and cannot do by using the “can” method. From your controllers you use the "can?" method to test the current user's authorization.

As development on CanCan is no longer active, it has been continued on under the new name CanCanCan.

Wiki

1405 questions
14
votes
1 answer

RSpec authorization testing with raise_error not working

I'm trying to test how a not logged in user behaves like this describe "not logged in user" do user_no_rights it "can't access action index" do expect(get :index).to raise_error(CanCan::AccessDenied) end end The output when i…
patrickkeller
  • 1,236
  • 2
  • 11
  • 20
13
votes
5 answers

Safest and Railsiest way in CanCan to do Guest, User, Admin permissions

I'm relatively new to rails (3), and am building an application, using CanCan, where there are 3 tiers of users. Guest - unregistered visitor User registered and logged in visitor Admin - registered and logged in visitor with admin flag My ability…
Edward M Smith
  • 10,627
  • 2
  • 46
  • 50
13
votes
1 answer

What is current_ability in CanCan's accessible_by (fetching records)?

In the documentation of CanCan it shows how to fetch all accessible records in this way: @articles = Article.accessible_by(current_ability) but what is current_ability? I've tried passing the current user which I'm using for authentication and…
Pablo Fernandez
  • 279,434
  • 135
  • 377
  • 622
13
votes
3 answers

How to integrate CanCan with multiple devise models?

How would I go about defining abilities for several devise models?
user1464499
  • 131
  • 1
  • 3
12
votes
2 answers

What is the best way to bypass devise authorization for a specific record marked public

I'm using devise and cancan in a Rails 3.2 project. I have an event model with a boolean flag public. If the event is marked as public => true then I want anybody, signed in or not to be able to access the record with GET /events/:id If it is…
bradgonesurfing
  • 30,949
  • 17
  • 114
  • 217
12
votes
5 answers

Using cancan to prevent access to controller

I have an admin controller and I want that only users that are defined as admin would have access to that controller. my ability class: class Ability include CanCan::Ability def initialize(user) if user.admin? can :manage, :all …
Ran
  • 163
  • 1
  • 2
  • 5
12
votes
2 answers

CanCanCan throws a regular Rails error on an exception rather than a flash message like I specified

I am using CanCanCan, Devise & Rolify. My ApplicationController looks like this: class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. …
marcamillion
  • 32,933
  • 55
  • 189
  • 380
11
votes
3 answers

Rails CanCan gem refactoring Ability class

I have a around 13 models in my rails app, I use ability on all of them. My ability class has grown huge. I have different ability conditions on different CRUD actions which is making it hard to manage. Can someone guide me on how I can refactor…
aBadAssCowboy
  • 2,440
  • 2
  • 23
  • 38
11
votes
1 answer

Is possible CanCan can :manage, :all except one or more method?

I'm doing: can :manage, :all if user.role == 'admin' can :approve, Anuncio do |anuncio| anuncio.try(:aprovado) == false end My second method does not work because the :manage :all override it. Theres a way to declare can manage all except…
Bruno Sapienza
  • 123
  • 1
  • 6
11
votes
1 answer

Why is this rspec request spec not updating the model?

I have a requests spec for interactions with the User model. I want to make sure that Users with the Admin role can create/edit/destroy Users. I'm having a problem right now where the Edit action does not update the user. Everything works properly…
James Chevalier
  • 10,604
  • 5
  • 48
  • 74
11
votes
3 answers

Serialize permissions (e.g. CanCan) with active_model_serializers

How do I serialize permissions with active_model_serializers? I don't have access to current_user or the can? method in models and serializers.
Jo Liss
  • 30,333
  • 19
  • 121
  • 170
10
votes
2 answers

Get a string that represents a user's CanCan abilities

I want to cache a Post view, but the view depends on the permissions of the current user (e.g., I only show the "edit" link if current_user.can?(:edit, @post)) So I'd like my cache key to include a representation of the current user's CanCan…
Tom Lehman
  • 85,973
  • 71
  • 200
  • 272
10
votes
1 answer

Rails Can Can Ability Class For Multiple Devise Models

I was wondering how I can define an ability class and serve that ability class depending on the user that has logged in. I am using Active Admin, Can Can and Devise and I have successfully created a User and an AdminUser models. I have this in my…
yretuta
  • 7,963
  • 17
  • 80
  • 151
10
votes
1 answer

How can I use RSpec to test the response code on a CanCan failed authorization?

I'm working on a rails project in which I use CanCan to authorize my resources. When a user is not signed in and tries to submit a "talk" (via an ajax form submission), CanCan correctly raises a 401 with {"status":"error","message":"You must be…
Matt McCormick
  • 582
  • 1
  • 4
  • 21
10
votes
1 answer

CanCan difference between :read and [:index, :show]?

According to all documentation, the :read action is aliased to both :index and :show: alias_action :index, show, :to => :read However, consider the following scenario with nested resources: resources :posts resources :comments end If I define…
sethvargo
  • 26,739
  • 10
  • 86
  • 156
1
2
3
93 94