Using with cancan

Arcath edited this page Jan 9, 2012 · 2 revisions

CanCan is an authorization gem written by Ryan Bates which allows you to easily customize your authorization to your needs.

Look at the CanCan Wiki for instructions on how to get CanCan installed, this guide is only going to focus on how to use the Adauth::UserModel to create your Ability class. Adauth allows you access the groups which the user is a member of, this means that you can use the users windows security groups in CanCan.

User Model

I like to add the is? method to my user model so that I can quickly perform logical tests in my ability class. This method looks like this:

def is?(role)

This method assumes you are using the user model created by the Adauth generators.

Ability Class

With the above method defined is then becomes very easy to use CanCan

class Ability
    def initialize(user)
        if"Domain Admins")
            can :manage, :all
            can :manage, Invoice
            can :read, Invoice
        can :read, :pages

This ability class would give everyone logging in the ability to read pages, members of the Postman group permission to read invoices, member of Finance permission to add/edit invoices and members of Domain Admins permission to add/edit any model in the application.

The ability class is very flexible and doesn't have to be a big if statement, but for very basic authorization this is all you need. Head over to the CanCan Wiki for more detialed instructions on how to configure your rules.