Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


STI and checking permissions using a hash #915

chrisroos opened this Issue · 4 comments

2 participants


I've got an STI model with a has_many association (Page and BlogPost). My permissions are set-up such that a user can :read the child object (Comment) if they authored the parent object.

Checking the permissions using can? :read, <instance-of-comment> works as I'd expect.

Checking the permissions using can? :read, <instance-of-page> => Comment works as I'd expect.

Checking the permissions using can? :read, <instance-of-blog-post> => Comment doesn't work as I'd expect: It always reports that the user can read the comment. I think I'd expect CanCan to 'know' that a BlogPost is a subclass of Page and check the permissions accordingly.

I've got a demo application including a failing test that illustrates this problem in more detail - The failing test is at

Does this seem like a problem or am I misunderstanding CanCan's behaviour?


It looks like maybe cancan doesn't support inheritance in nested resources. I may have reproduced this issue with a failing spec in spec/cancan/ability_spec.rb:


If you want to work on adding this new feature, you might check out rule#nested_subject_matches_conditions?.

Or, as a workaround, you could try adding another rule in your Ability, eg.

can :read, Comment, blogpost: {user_id:}

Thanks for looking into it, @jaredbeck.

Rather than adding another rule to our Ability, I ended up avoiding the :through option in our calls to authorize_resource. As far as I can see it's the :through option in combination with STI models that results in the can? <permission>, <instance-of-parent> => <class-of-child> format being used. Without the :through option, we can rely on checking the permission using an <instance-of-child> which works correctly.

I'm not planning to try to fix this problem but figure this ticket might be useful for anyone else coming up against the same thing.


I ended up avoiding the :through option ..

I'm glad you found a workaround.

I'm not planning to try to fix this problem ..

That's fine. Cancan doesn't seem to be accepting any pull requests these days, anyway. Please go ahead and close this.


Closing as per @jaredbeck's suggestion.

@chrisroos chrisroos closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.