CanCan overly permissive with hash of conditions #929

shanesuofi opened this Issue Sep 5, 2013 · 1 comment


None yet

1 participant


This issue is also on stack overflow.

I'm having an issue with CanCan allowing access, when I don't think it should, when using a hash of conditions.

I have a rails model/table called projects, which controls access to documents and collections (sets of documents). Projects may be accessed by multiple users, called collaborators, if given permission by the project owner. There is also a collaborators table that tracks which users have access to which projects.

This all works as expected for read only access using a single permission or a single nested permission. For example, this works for collaborators:

can :read, Project, :collaborators => { :user_id => }
can :read, Collection, :projects => { :collaborators => { :user_id => } }
can :read, Document, :collection => { :projects => { :collaborators => { :user_id => }}}

I have a case where users other than the owner may need to manage a project. I call these users "editors". To check for editors I have a boolean field in the collaborators table called "editor". To allow editors access I created the following hash of conditions in CanCan:

can :manage, Project, :collaborators => { :user_id => }, :collaborators => { :editor => true }

However, this grants manage access to all collaborators if the editor field is true for any collaborator. I only want to grant manage access to a collaborator if the collaborator is also an editor, all other collaborators should only have read access. Since the above ability dose not work, I have an idea that what I need is something like this:

can :manage, Project, :collaborators => { :user_id => AND :editor => true}

But I don't know how to do this. We are using PostgreSQL as our database if that helps. Thanks.

SOLUTION: Curtsy of "ssorallen" at Stackoverflow.
can :manage, Project, :collaborators => { :user_id =>, :editor => true}

I think this example, or a similar example, would be helpful if it was added to the "Defining Abilities" page.

@shanesuofi shanesuofi closed this Sep 6, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment