Model vs controller action based authorization. Can cancan support both? (discussion)

[shyam-habarakada]

We have an app that is using an authorization scheme that is based on models (as opposed to controller actions).

For instance, we have admin, member and guest roles and say, User, Post and Comment models. We then declaratively define which CRUD operation each role is allowed, per model. We also define the scope at which each role is able to perform the operation, where scope can be All, Mine or None. All means that the current_user can perform an operation on data owned by herself as well as any other user. Mine means she can only operate on data owned by her self. None means no access.

Having looked at cancan briefly, I felt like this is not a well supported scenario, so I implemented a solution modeled loosely after Ryan's Authorization from Scratch railscast.

Was I correct in my understanding that cancan does not support this model out of the box?

If there is interest, I can help investigate building this into the gem (v2.x?).

Thanks for your input.

[graywh]

What makes you think it wouldn't support your scheme? Have you looked at the documentation on defining abilities? It comes down to can [CRUD action(s)], [model], [condition--all,mine].

[ghost]

yes, your scnario is supported. you can also use callback (block methods) to check the authorization for a speicifc action using the data behind an instance:

can :delete, User do |u|
    u.id==user.id
end

allows a user to delete itself.

[shyam-habarakada]

Thanks for clarifying this. I will take a closer look and see if I can replace my custom scheme with this. If I run into a specific roadblock, will open a new issue to discuss. Thanks.