This is a suggestion, I don't know how feasible it is...
The current implementation only checks if the parameters present in params hash are authorized, not if those are actually changing the model. If you supply along parameters that do not change the model, Cancan will not authorize the update.
It might be too 'deep' for Cancan to go and check if only the authorized attributes are dirty but it will simplify the views because with the current implementation, you need to put a lot of 'if can?' to be sure you are not supplying unauthorized params for the current role.
Basically, it would be great if we could supply the same form for all roles and Cancan checks authorized attributes change on their dirtiness.
Can you try the most recent version to see if your issue has been resolved? This issue is tagged 2.0, so you'll want to use the master branch.
This is one of the oldest CanCan issues with no discussion. CanCan is struggling right now to implement support for rails 4, and the issue count is nearing 200. It would be a big help if we could close a few old issues and get the issue count down. Thanks!