Skip to content
This repository

Problem with defining ability for resources 2.0 #706

Closed
KrilYura opened this Issue July 31, 2012 · 8 comments

2 participants

KrilYura Nicholas Jakobsen
KrilYura

I have resource Message.
Also have controller MessagesController
I want to authorize access to particular message and not to controller, but cancan applies that restriction to both controller and resource.
I use: cannot :access :messages :from_id => user.id
In this case user will have no access to any action of controller, but I want apply this only to resource
In cancan 1. was something like:
cannot :access :Message :from_id => user.id
for specify this should be applied to resource

Nicholas Jakobsen

The rule applies to the controller in order to enforce the restriction you've made. How do you plan to enforce the :from_id => user.id rule?

KrilYura

Sorry maybe I didn't explain clearly my problem.
I have resource and controller with same name.
I wan't to apply some rule to resource and not to controller.
If I write cannot :access :message, this rule will be applied to controller and resource.
But I need only for resource

Nicholas Jakobsen

I understand the issue, I'm just wondering how you ensured that only authorized users could access the message. Are you trying to authorize outside of the view and controller? Maybe some code samples would help people understand what you're trying to accomplish by having the rule not apply to the controller.

KrilYura

I trying to do next:
Disallow user to access(all operations) message if message.from_id != user.id (if this user doesn't sent this message).
Also I have check like this authorize :read, @message.
Problem appears if user try to access any action of message controller.

Nicholas Jakobsen

It sounds like you want to make an ability file, but not load it in the ApplicationController. Try make another ability file and load it when you want to check the permissions on something without hooking it up to the controller.

class GeneralAbility
  include CanCan::Ability
  # add your abilities
end

a = GeneralAbility.new(some_user)
a.can? :read, message

By default the Ability class is associated with your controllers, so by naming this one differently, it won't be hooked up. See https://github.com/ryanb/cancan/wiki/Changing-Defaults

KrilYura

No, you'r wrong. My problem doesn't related to ability file and also I've loaded that file correctly.
Will try to explain by other way.
If I write this:
cannot :access :messages
I will not be able to access message controller, right?
Also if I write: authorize :read, @message
I will get exception, right?
It means my rule applies to controller and to resource.
Question:
How should I specify rule to disallow access to resource and allow access to controller?

Nicholas Jakobsen

I think we're saying the same thing. You want different rules to apply to the resource than the controller. I'm saying write two ability files. One, ability.rb, controls behaviour you want to apply to both the controller and the resource. And the other, in the example above, general_ability.rb, would not be linked to the controller, and you could use it to write rules like

cannot :access, :messages

and then apply them manually to the resource, as shown in my previous comment. This allows you to restrict access to the resource, without affecting the access to the controller.

KrilYura

oh. Now I understand.
Thanks.

KrilYura KrilYura closed this August 15, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.