Stack Overflow
Stack Overflow

Questions tagged [cancan]

The CanCan gem offers a straight forward and flexible way to define what a user can and cannot do.

CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access.

CanCan uses a model to define the abilities of a user. Inside the class you declare what a user can and cannot do by using the “can” method. From your controllers you use the "can?" method to test the current user's authorization.

As development on CanCan is no longer active, it has been continued on under the new name CanCanCan.

Wiki

1405 questions
49
votes
1 answer

Access CanCan's `can?` method from a model

You can get the current_user's permissions from a view or controller using can? in this fashion: <% if can? :update, @article %> <%= link_to "Edit", edit_article_path(@article) %> <% end %> How can I access this functionality from a model…
Tom Lehman
  • 85,973
  • 71
  • 200
  • 272
46
votes
1 answer

How can I test CanCan in the console?

I need to check :read? on an object in the console, how can I do this?
RubyRedGrapefruit
  • 12,066
  • 16
  • 92
  • 193
37
votes
6 answers

How to do integration testing with RSpec and Devise/CanCan?

If I have a Devise model User, of which only those users with role :admin are allowed to view a certain url, how can I write an RSpec integration test to check that the status returns 200 for that url? def login(user) post user_session_path,…
psugar
  • 1,897
  • 2
  • 18
  • 27
33
votes
3 answers

How to create the first (Admin) user (CanCan and Devise)?

I made authentication in my Rails 3 app fallowed by Tony's tutorial I don't want public registrations on my app, just to create new users with Admin account, but I can't create Admin account manually, because in table Users there is encrypted…
dormitkon
  • 2,526
  • 4
  • 39
  • 60
30
votes
5 answers

How can I redirect a user's home (root) path based on their role using Devise?

I'm working on a project management app, and in the app, I have project_managers and clients. I'm using Devise and CanCan for authentication/authorization. At what point after login should I be redirecting the user to their own specific…
Mark
  • 315
  • 1
  • 4
  • 5
23
votes
1 answer

CanCan explanation of load_and_authorize_resource

I would know how the load_and_authorize_resource works inside. I searched the github page Link and tried to undestand , but i didn't find nothing usefull. I only understand that load_and_authorize_resource is like a before_filter and it loads (in…
Vito
  • 746
  • 2
  • 9
  • 25
22
votes
6 answers

Testing views that use CanCan and Devise with RSpec

I was trying to test a simple index view, which has following code inside: - if can? :destroy, MyModel %th Options MyModelsController has following options (Inherited Resources + CanCan + Devise): class MyModelsController < ApplicationController …
farnoy
  • 7,356
  • 2
  • 20
  • 30
22
votes
4 answers

CanCan and controllers without models

I'm using CanCan for authorization. I define the model-action-user rules in /app/config/ability.rb and it's working fine. I've added the line load_and_authorize_resource to my application_controller, and everything's done. However, I also have…
user684934
20
votes
1 answer

cancan skip_authorization_check for Devise authentication

Because anyone can sign up and then log in,... and because a user isn't identified for roles until after log in, doesn't it make sense to skip authorization_check for Devise? Going on that premise, i inherit from the Devise registration controller…
Jay
  • 6,206
  • 11
  • 48
  • 82
20
votes
4 answers

CanCan: limiting a user's ability to set certain model attributes based on their role

I have a Post model with a :published attribute (boolean) and a User model with a role attribute (string). There are three roles: ROLES = %w[admin publisher author] I don't want users whose role is author to be capable of setting, or editing, the…
stephenmurdoch
  • 34,024
  • 29
  • 114
  • 189
18
votes
3 answers

Rails 4 user roles and permissions

I am writing a rails application for an organization. Every user may have 1 or more roles and can only access certain controller actions depending on those roles. For example, only admins can create, destroy and update certain fields of Users. Also,…
gdiazc
  • 2,108
  • 4
  • 19
  • 30
17
votes
2 answers

CanCan load_and_authorize_resource triggers Forbidden Attributes

I have a standard RESTful controller that uses strong parameters. class UsersController < ApplicationController respond_to :html, :js def index @users = User.all end def show @user = User.find(params[:id]) end def new …
Tiggers
  • 179
  • 1
  • 3
16
votes
2 answers

cancan: the difference between "manage" and the combination of "read, create, update and destroy"?

In trying to debug use of cancan i found that if use the following i can get past the accessdenied message: can :manage, Model When i changed it to the following I am denied access: can :read, Model can :create, Model can :update, Model …
Jay
  • 6,206
  • 11
  • 48
  • 82
16
votes
1 answer

Cancan accessible_by

What exactly is happening when I do: @patient.course_enrollments.accessible_by(current_ability) What seems to happen is I get course_enrollments where course.client_id = user.client.id, I just don't understand how accessible_by works. #…
Chris Muench
  • 17,444
  • 70
  • 209
  • 362
15
votes
5 answers

How do I create an rspec test that validates a JSON response?

I have a Groups Controller with a method def inbox. If the user is a group member then inbox returns a JSON object. If the user is not a member, then inbox should redirect thanks to CanCan permissions. How do I write an rspec to test these two use…
AnApprentice
  • 108,152
  • 195
  • 629
  • 1,012
1
2 3
93 94