HTTPS clone URL
Subversion checkout URL
- 3rd party add ons
- Abilities in Database
- Ability for Other Users
- Ability Precedence
- Accessing request data
- Action Aliases
- Admin Namespace
- Authorization for Namespaced Controllers
- Authorization in Web Services
- Authorizing controller actions
- CanCan 2.0
- CanCan 2.0 Aliases
- Changing Defaults
- Checking Abilities
- Controller Authorization Example
- Custom Ability Methods
- Custom Actions
- Debugging Abilities
- Defining Abilities
- Defining Abilities with Blocks
- Defining Abilities with Hashes
- Ensure Authorization
- Exception Handling
- Fetching Records
- Inherited Resources
- Issue Collaborators
- Link Helpers
- Model Adapter
- Multiple can definitions (from 1.3)
- mvc deficiencies
- Nested Resources
- Non RESTful Controllers
- Other Authorization Solutions
- Rails API Gem
- Role Based Authorization
- Separate Role Model
- Separating Abilities
- Share Ability Definitions
- Testing Abilities
- Translating your app
- Upgrading to 1.1
- Upgrading to 1.3
- Upgrading to 1.4
- Upgrading to 1.5
- Upgrading to 1.6
Clone this wiki locally
Sometimes you need to restrict which records are returned from the database based on what the user is able to access. This can be done with the
accessible_by method on any Active Record model. Simply pass it the current ability to find only the records which the user is able to
# current_ability is a method made available by CanCan to your controllers extending ActionController::Base @articles = Article.accessible_by(current_ability)
Note: As of 1.4 this is done automatically by
load_resource for the index action, so it rarely needs to be done manually.
You can change the action by passing it as the second argument. Here we find only the records the user has permission to update.
@articles = Article.accessible_by(current_ability, :update)
If you want to use the current controller's action, make sure to call
to_sym on it:
@articles = Article.accessible_by(current_ability, params[:action].to_sym)
Be careful what you convert to a symbol, because
params[:option].to_sym can be easily exploited and used to DoS your application.
This is an Active Record scope so other scopes and pagination can be chained onto it.
As of CanCan 1.3, this will work with multiple
can calls which allows you to define complex permission logic and have it translate properly to SQL. Special thanks to funny-falcon for this feature.
# in Ability # assuming user.id == 1 can :manage, User, :manager_id => user.id cannot :manage, User, :self_managed => true can :manage, User, :id => user.id # translates to "(id = 1) OR (not (self_managed = 't') AND (manager_id = 1))" # as if it is read from bottom to top # "user could manage himself, for other he could not manage self_managed users, otherwise he could manage his employees"
It will raise an exception if any requested model's ability definition is defined using just block. As of 1.4, you could define SQL fragment in addition to block (look for examples in Defining Abilities with Blocks).
If you are using something other than Active Record you can fetch the conditions hash directly from the current ability.