Skip to content

Grant access to manage an object a user doesn't own... #925

Altonymous opened this Issue Aug 22, 2013 · 3 comments

2 participants


I currently have CanCan implemented in such a way that a user can only manage their own items. Now I need the ability for users to grant permissions to manage objects they own to other users in the system.

I'm not sure how to go about this?

I have tried creating a scope to cover any user that is party to the contract..

Then I setup my Ability as such...
can :read, Contract.parties(

My scope is defined as...
scope :parties, lambda { |user_id| joins(:offer).where("seller_id = ? OR buyer_id = ?", user_id, user_id) }

The log is showing that the query is executed successfully, and a record is returned. However, it still redirects me and tells me I am not authorized.


I've also tried...

belongs_to :offer
has_one :seller, (...)

  can :read, Contract, buyer_id:
  can :read, Contract, { seller: { id: } }


  can :read, Contract, buyer_id:
  can :read, Contract, { offer: { seller_id: } }

But these through errors.


I thought it might be related to the has_one vs belongs_to. However, that has proven to be a false theory. I am still struggling to find a solution to this problem.

xhoy commented Jul 1, 2014

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.