devise+cancan not blocking access to index problem wherer @proj = Proj.all

Question

Hello, I have an app that uses Devise and CanCan. in the config>initializers>Abiliity.rb class Ability include CanCan::Ability

  def initialize(user)
    if user.is? :superadmin
      can :manage, :all
    elsif user.is? :user
      can :read, Project do |project|
         project && project.users.include?(user)
      end
    end
  end
 end

I have problem with the index action of Project controller, the project controller is a normal stock RESTful controller. Basically, a user who's a normal user, when logged in, can see the projects#index. But not all projects have this user as 'normal user', why isn't cancan blocking his access?

Thanks

Answer 1

Make sure you're calling load_and_authorize_resource in your ProjectsController, along the lines of:

class ProjectsController < ApplicationController
  load_and_authorize_resource

  #...
end

If that still doesn't work, try calling the authorize! method inside the index action, to see if that makes a difference, eg:

class ProjectsController < ApplicationController
  #...

  def index
    @projects = Project.all
    authorize! :read, @projects
  end

  #...
end