Skip to content


Cancan 2.0 fix for issue #565; fixes namespaced non-db/model backed resources authorization #570

merged 2 commits into from

3 participants


This fixes the issue detailed in full here: #565 :clap:


Here's something interesting Ryan. I've returned working on an old app and until now I was treating its resource as a non-db backed resource; hence the patch above. However, now I'm doing CRUD as well.

class Admin::ScheduledSessionsController < AdminController
  include ApplicationHelper
  load_and_authorize_resource :class => "Session"

...and my abilities now look like:

class AdminAbility
  include CanCan::Ability
  def initialize(user)
    if user
      can [:index, :show], "admin/dashboard"
      can [:index, :show, :published, :unpublished], "admin/scheduled_sessions"

      if user.super_admin?
        can [:new, :create], "admin/scheduled_sessions"
        can [:new, :create], :sessions

        can [:edit, :update], "admin/scheduled_sessions"
        can [:edit, :update], :sessions do |s|
          s.applicant_signups.count == 0 

        can [:publish, :unpublish], "admin/scheduled_sessions"
        can [:publish, :unpublish], :sessions



@bsodmike Unfortunately, your patch does not merge cleanly against master. Could you rebase and submit again? Then ping me.


Hi @jeremyf done, can you try now please? Thanks!


[Verified] Clean merge on 2.0; And the specs all pass.


Thanks - will this be merged into @ryanb's 2.0 branch soon?


@bsodmike While I have commit rights to the repo, I'm here to help triage things. Right now I'm trying to clear out the pull requests. As far as timing, Ryan's been merged several requests yesterday that I verified. So I assume so.


That's fine thanks. Yup, just noticed that @ryanb's been merging PR's in. Cheers for your efforts, really appreciated!


I had been meaning to get something like this in, thank you for the pull request. Glad it is so easy as well.

@ryanb ryanb merged commit 4986de8 into ryanb:2.0

Awesome @ryanb, my pleasure =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 11, 2012
  1. @bsodmike
  2. @bsodmike
Showing with 9 additions and 1 deletion.
  1. +1 −1 lib/cancan/rule.rb
  2. +8 −0 spec/cancan/controller_resource_spec.rb
2 lib/cancan/rule.rb
@@ -100,7 +100,7 @@ def matches_action?(action)
def matches_subject?(subject)
subject = subject_name(subject) if subject_object? subject
- @expanded_subjects.include?(:all) || @expanded_subjects.include?(subject.to_sym) # || matches_subject_class?(subject)
+ @expanded_subjects.include?(:all) || @expanded_subjects.include?(subject.to_sym) || @expanded_subjects.include?(subject) # || matches_subject_class?(subject)
def matches_attribute?(attribute)
8 spec/cancan/controller_resource_spec.rb
@@ -384,6 +384,14 @@ class Project < ::Project; end
@controller.instance_variable_get(:@project).name.should == "foobar"
+ it "should properly authorize resource for namespaced controller" do
+ @ability.can(:index, "admin/dashboard")
+ @params.merge!(:controller => "admin/dashboard", :action => "index")
+ @controller.authorize!(:index, "admin/dashboard")
+ resource =, :authorize => true).process
+ lambda { resource.process }.should_not raise_error(CanCan::Unauthorized)
+ end
# it "raises ImplementationRemoved when adding :name option" do
# lambda {
#, :name => :foo)
Something went wrong with that request. Please try again.