Just a heads up, I've spent a few hours trying to workout why two model checks with can? were returning true, despite only one was set for the user. Take the following as an example:
class Support::AccountTicket < Support::Ticket
The above two models need to act as separate permissions.
can :update, Support::Ticket
# cannot :update, Support::AccountTicket
Checking against Support::AccountTicket returns true, as it inherits from Support::Ticket.
The issues seems to lie in the matches_subject_class? method: https://github.com/ryanb/cancan/blob/master/lib/cancan/rule.rb#L93
kind_of? checks super classes, so may be worth re-writing this, or at least allowing a class to have an option set to ignore super classes on checks as I can see inheritance checks actually being useful in a different scenario.
I'm afraid I haven't time to find a solution myself, as I have a work around that's just as useful and more tailored for my requirements.
Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.
CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.
If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.
We hope to see you on the other side!