cancan is a tiny permission controller base on ruby cancan library.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



cancan is a tiny permission controller base on ruby cancan library. Once defined user ability, can easily check user's permission.


pip install cancan

Basic Usage

inherit from cancan.Ability

use add method to add user Ability

def add(self, action=None, subject=None, **conditions)`
    Add ability are allowed using two arguments.

    The first one is the action you're setting the permission for,
    the second one is the class of object you're setting it on.
    the third one is the subject's attributes must be matches or a function
    to be test.

    self.add('update', Article)
    self.add('update', Article, user_id=1)
    self.add('update', Article, user_id=1, title='hello')
    self.add('update', Article, function=test_title)
import cancan

class User(object):
    def __init__(self, id, name, role): = id = name
        self.role = role

class Article(object):
    def __init__(self, title, user_id):
        self.title = title
        self.user_id = user_id

class Ability(cancan.Ability):
    def __init__(self, user):
        if user.role == 'admin':
            self.add('manage', 'all')
            self.add('read', Article)
            self.add('create', Article)
            self.add('update', Article,
            self.add('create', 'bbb')

admin = User(1, 'neven', 'admin')
ability = Ability(admin)

# admin
ability.can('read', Article)    # True
ability.can('create', Article)  # True
ability.can('delete', Article)  # True
ability.can('aaa', Article)     # True
ability.can('create', 'bbb')    # True
ability.can('create', 'ccc')    # True

user = User(2, 'joe', 'user')
ability2 = Ability(user)

# user
ability2.can('read', Article)   # True
ability2.can('create', Article) # True
ability2.can('delete', Article) # False
ability2.can('aaa', Article)    # False
ability2.can('create', 'bbb')   # True
ability2.can('create', 'ccc')   # False

article = Article('hello', 2)
# admin
ability.can('update', article) # True

# user
ability2.can('update', article) # True
ability2.can('update', Article) # True(class dont check conditions)


import cancan

def test_title_gt_100(article):
    return len(article.title) > 100

def anoter_test(article, id, len_title):
    return article.user_id < id and len(article.title) > len_article

class Ability(cancan.Ability):
    def __init__(self, user):
        self.alias_action('create', 'read', 'update', to='cru')

        if user.role == 'admin':
            self.add('manage', 'all')
            self.addnot('destroy', 'gem')
        elif user.role == 'editor':
            self.add('cru', Article)
            self.add(['read', 'create'], 'gem')
            self.add('update', Article, function=test_title_gt_100)
            self.add('delete', Article, function=another_test, func_args=(10,), func_kwargs={"len_title": 4})
            self.add('create', Article)
            self.add('update', Article,
            self.add('create', 'bbb')

editor = User(3, 'kali', 'editor')
ability3 = Ability(editor)

# editor
ability3.can('create', Article)  # True
ability3.can('update', Article)  # True
ability3.can('cru', Article)  # True
ability3.can('read', 'gem')  # True
ability3.can('create', 'gem')  # True

article = Article('world', 1)
ability3.can('update', article)  # False
ability3.can('delete', article)  # True

article = Article('world'*100, 1)
ability3.can('delete', article)  # True



Integrate Django

see django_example