MassCanCan is an extension to the not-yet released CanCan 2.0. It grabs the permissions defined with CanCan and uses them to implement the ActiveRecord mass assignment security policies, removing the need to define the accessible attributes in the model and contributing to the application consistency.
Start by setting up CanCan 2.0.
Add the MassCanCan gem to your Gemfile:
gem "mass_can_can", :git => "git://github.com/alfonsocora/masscancan.git"
Then modify the Ability class to include MassCanCan instead of CanCan:
require 'mass_can_can/ability' class Ability include MassCanCan::Ability def initialize(user) ... end ... end
MassCanCan is not compatible with attr_accessible, attr_protected, or any other method that specifies mass assignment security in the model. Make sure that those methods are not called when using MassCanCan.
MassCanCan uses the new ActiveRecord mass assignment security, which can be configured with the mass_assignment_sanitizer configuration attribute:
config.active_record.mass_assignment_sanitizer = :strict
This field also supports the value :logger which logs failed update attempts to the log instead of rising errors.