Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Problem with defining ability for resources 2.0 #706

KrilYura opened this Issue Jul 31, 2012 · 8 comments


None yet
2 participants

I have resource Message.
Also have controller MessagesController
I want to authorize access to particular message and not to controller, but cancan applies that restriction to both controller and resource.
I use: cannot :access :messages :from_id => user.id
In this case user will have no access to any action of controller, but I want apply this only to resource
In cancan 1. was something like:
cannot :access :Message :from_id => user.id
for specify this should be applied to resource

The rule applies to the controller in order to enforce the restriction you've made. How do you plan to enforce the :from_id => user.id rule?

Sorry maybe I didn't explain clearly my problem.
I have resource and controller with same name.
I wan't to apply some rule to resource and not to controller.
If I write cannot :access :message, this rule will be applied to controller and resource.
But I need only for resource

I understand the issue, I'm just wondering how you ensured that only authorized users could access the message. Are you trying to authorize outside of the view and controller? Maybe some code samples would help people understand what you're trying to accomplish by having the rule not apply to the controller.

I trying to do next:
Disallow user to access(all operations) message if message.from_id != user.id (if this user doesn't sent this message).
Also I have check like this authorize :read, @message.
Problem appears if user try to access any action of message controller.

It sounds like you want to make an ability file, but not load it in the ApplicationController. Try make another ability file and load it when you want to check the permissions on something without hooking it up to the controller.

class GeneralAbility
  include CanCan::Ability
  # add your abilities

a = GeneralAbility.new(some_user)
a.can? :read, message

By default the Ability class is associated with your controllers, so by naming this one differently, it won't be hooked up. See https://github.com/ryanb/cancan/wiki/Changing-Defaults

No, you'r wrong. My problem doesn't related to ability file and also I've loaded that file correctly.
Will try to explain by other way.
If I write this:
cannot :access :messages
I will not be able to access message controller, right?
Also if I write: authorize :read, @message
I will get exception, right?
It means my rule applies to controller and to resource.
How should I specify rule to disallow access to resource and allow access to controller?

I think we're saying the same thing. You want different rules to apply to the resource than the controller. I'm saying write two ability files. One, ability.rb, controls behaviour you want to apply to both the controller and the resource. And the other, in the example above, general_ability.rb, would not be linked to the controller, and you could use it to write rules like

cannot :access, :messages

and then apply them manually to the resource, as shown in my previous comment. This allows you to restrict access to the resource, without affecting the access to the controller.

oh. Now I understand.

@KrilYura KrilYura closed this Aug 15, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment