Im using rails administrate for my application, but I want to limit access via the administrate dashboard to the resources being administered.
Im also using cancancan in the other parts of my rails app to manage access and permissions.
Has anyone managed to use cancancan within administrate, so that the administrate dashboard can use the abilities defined in cancancan, do display the resources and apply the same persmissions ?
Thanks
You can find some info about what needs to be done here: https://administrate-prototype.herokuapp.com/authorization
What is mentioned there works well for filtering collections of records, but breaks when trying to authorize individual resources. The solution is to override the find_resource method. Here is the final working code:
# app/controllers/admin/application_controller.rb
rescue_from CanCan::AccessDenied do |exception|
flash[:notice] = "Access Denied"
redirect_to admin_root_path
end
# Override find_resource, because it initially calls scoped_resource.find(param)
# which breaks since we are overriding that method as well.
def find_resource(param)
resource_class.default_scoped.find(param)
end
# Limit the scope of the given resource
def scoped_resource
super.accessible_by(current_ability)
end
# Raise an exception if the user is not permitted to access this resource
def authorize_resource(resource)
raise CanCan::AccessDenied unless show_action?(params[:action], resource)
end
# Hide links to actions if the user is not allowed to do them
def show_action?(action, resource)
# translate :show action to :read for cancan
if ["show", :show].include?(action)
action = :read
end
can? action, resource
end
This will get you started for basic resource authorization with CanCan. Further customization of field views might be needed if you need to restrict access to nested resources etc. But that should be pretty standard from that point forward. Hope this helps. :)
