Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    I'm a bit confused about something: I have users and users belong to a company. Do I need to make sure on every single ability that the user is trying to do something on something that they should have access to? Meaning, every single action should check if user.company == resource.company. Does that mean I need to do it on every single ability definition? Also, is it necessary at all if we're using devise and always use current_company and current_user ?
    Anton Antonov
    Does anyone have trouble/confusion with can :manage, :all?
    I have the following ability
      def initialize(user)
        user ||= User.new # guest user (not logged in)
        if user.superadmin?
          can :manage, :all
        elsif user.admin?
          can :manage, :all
          cannot :manage, User, role: User.roles[:superadmin]
    and the result of Ability.new(User.find_by(role: User.roles[:admin])).can?(:manage, User, role: User.roles[:superadmin]) is true. Although it should be false due to the last statement.
    Kara A Carrell
    Anyone in this room right now?
    Sudarshan Regmi
    Me. :P
    Kara A Carrell
    Awesome! At the time I posted, I was working on implementing cancancan into a rails 5 app with devise and devise_token_auth configured, and I was trying to figure out how to ensure cancancan doesn't interfere with tokens
    Punita Ojha
    This message was deleted
    H. Can Yıldırım
    guys, anyone in here can help me with cancancan nested resources?
    class List < ApplicationRecord
      belongs_to :listable, polymorphic: true
    class Department < ApplicationRecord
      has_many :lists,  as: :listable
    class Company < ApplicationRecord  
      has_many :lists, as: :listable
    class ListsController < ApplicationController
      before_filter :authorize_parent
      load_resource :departments
      load_resource :companies
      load_resource :users
      load_and_authorize_resource :list, :through => [:departments, :companies, :users]
      def authorize_parent
          authorize! :read, (@companies || @departments || @user)
    class Ability
      include CanCan::Ability
      def initialize(user)
        user ||= User.new
        if user.has_role? :admin
          can :manage, :all
          can :read, List, { :company => { :id => user.company_id } }
          can :read, List, { :department => { :id => user.departments.first.id } }
    Jason Knebel
    Hello. I'm getting a ForbiddenAttributes error in the create action of a namespaced controller. I've tried with the model added and not in ability.rb. It occurs whenever load_and_authorize_resource is added to the controller. Other actions work as expected. I've searched for details about namespaces and haven't found much. Any thoughts?
    Jason Knebel
    Answer: Take namespace out of *_params method.
    David Stancu
    I made a small layer on top of cancancan after developing this pattern in some of my personal projects and would appreciate some feedback: https://github.com/mach-kernel/warhol