Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Cancan 2.0 fix for issue #565; fixes namespaced non-db/model backed resources authorization #570

merged 2 commits into from

3 participants

Michael de Silva Jeremy Friesen Ryan Bates
Michael de Silva

This fixes the issue detailed in full here: #565 :clap:

Michael de Silva

Here's something interesting Ryan. I've returned working on an old app and until now I was treating its resource as a non-db backed resource; hence the patch above. However, now I'm doing CRUD as well.

class Admin::ScheduledSessionsController < AdminController
  include ApplicationHelper
  load_and_authorize_resource :class => "Session"

...and my abilities now look like:

class AdminAbility
  include CanCan::Ability
  def initialize(user)
    if user
      can [:index, :show], "admin/dashboard"
      can [:index, :show, :published, :unpublished], "admin/scheduled_sessions"

      if user.super_admin?
        can [:new, :create], "admin/scheduled_sessions"
        can [:new, :create], :sessions

        can [:edit, :update], "admin/scheduled_sessions"
        can [:edit, :update], :sessions do |s|
          s.applicant_signups.count == 0 

        can [:publish, :unpublish], "admin/scheduled_sessions"
        can [:publish, :unpublish], :sessions


Jeremy Friesen

@bsodmike Unfortunately, your patch does not merge cleanly against master. Could you rebase and submit again? Then ping me.

Michael de Silva

Hi @jeremyf done, can you try now please? Thanks!

Jeremy Friesen

[Verified] Clean merge on 2.0; And the specs all pass.

Michael de Silva

Thanks - will this be merged into @ryanb's 2.0 branch soon?

Jeremy Friesen

@bsodmike While I have commit rights to the repo, I'm here to help triage things. Right now I'm trying to clear out the pull requests. As far as timing, Ryan's been merged several requests yesterday that I verified. So I assume so.

Michael de Silva

That's fine thanks. Yup, just noticed that @ryanb's been merging PR's in. Cheers for your efforts, really appreciated!

Ryan Bates

I had been meaning to get something like this in, thank you for the pull request. Glad it is so easy as well.

Ryan Bates ryanb merged commit 4986de8 into from
Michael de Silva

Awesome @ryanb, my pleasure =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 11, 2012
  1. Michael de Silva
  2. Michael de Silva
This page is out of date. Refresh to see the latest.
Showing with 9 additions and 1 deletion.
  1. +1 −1  lib/cancan/rule.rb
  2. +8 −0 spec/cancan/controller_resource_spec.rb
2  lib/cancan/rule.rb
@@ -100,7 +100,7 @@ def matches_action?(action)
def matches_subject?(subject)
subject = subject_name(subject) if subject_object? subject
- @expanded_subjects.include?(:all) || @expanded_subjects.include?(subject.to_sym) # || matches_subject_class?(subject)
+ @expanded_subjects.include?(:all) || @expanded_subjects.include?(subject.to_sym) || @expanded_subjects.include?(subject) # || matches_subject_class?(subject)
def matches_attribute?(attribute)
8 spec/cancan/controller_resource_spec.rb
@@ -384,6 +384,14 @@ class Project < ::Project; end
@controller.instance_variable_get(:@project).name.should == "foobar"
+ it "should properly authorize resource for namespaced controller" do
+ @ability.can(:index, "admin/dashboard")
+ @params.merge!(:controller => "admin/dashboard", :action => "index")
+ @controller.authorize!(:index, "admin/dashboard")
+ resource =, :authorize => true).process
+ lambda { resource.process }.should_not raise_error(CanCan::Unauthorized)
+ end
# it "raises ImplementationRemoved when adding :name option" do
# lambda {
#, :name => :foo)
Something went wrong with that request. Please try again.