Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Model vs controller action based authorization. Can cancan support both? (discussion) #831

Closed
shyam-habarakada opened this Issue · 3 comments

3 participants

@shyam-habarakada

We have an app that is using an authorization scheme that is based on models (as opposed to controller actions).

For instance, we have admin, member and guest roles and say, User, Post and Comment models. We then declaratively define which CRUD operation each role is allowed, per model. We also define the scope at which each role is able to perform the operation, where scope can be All, Mine or None. All means that the current_user can perform an operation on data owned by herself as well as any other user. Mine means she can only operate on data owned by her self. None means no access.

Having looked at cancan briefly, I felt like this is not a well supported scenario, so I implemented a solution modeled loosely after Ryan's Authorization from Scratch railscast.

Was I correct in my understanding that cancan does not support this model out of the box?

If there is interest, I can help investigate building this into the gem (v2.x?).

Thanks for your input.

@graywh

What makes you think it wouldn't support your scheme? Have you looked at the documentation on defining abilities? It comes down to can [CRUD action(s)], [model], [condition--all,mine].

@mojovski

yes, your scnario is supported. you can also use callback (block methods) to check the authorization for a speicifc action using the data behind an instance:

can :delete, User do |u|
    u.id==user.id
end

allows a user to delete itself.

@shyam-habarakada

Thanks for clarifying this. I will take a closer look and see if I can replace my custom scheme with this. If I run into a specific roadblock, will open a new issue to discuss. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.