(:can) + (:cannot with parameter) on same model results in wrong SQL query #807

vectriss opened this Issue Jan 21, 2013 · 2 comments


None yet

3 participants



I've got this code in Rails 3.2.11 project with CanCan 1.6.8:

Ability model:

if user.is_super_admin?
    can :manage, User
    cannot :manage, User, :rank => "root"

in UserController:


def index
    # empty

and when I run WEBrick, log in as super_admin and go to user/index action cancan runs this SQL (from development.log):

SELECT users.* FROM users WHERE users.rank = 'root';

resulting in selecting only the 'root' user from the DB where I want the opposite effect.

CanCan should run something like this:

SELECT users.* FROM users WHERE users.rank != 'root';

i noticed that when i put this code in Ability instead of code mentioned earlier it all works fine:

if user.is_super_admin?
    can :manage, User, :rank => 'user'
    can :manage, User, :rank => 'admin'
    can :manage, User, :rank => 'super_admin'

am I missing something or is it a bug?

@vectriss did you resolve the issue? if not i'd be happy to help.

xhoy commented Jul 1, 2014

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment