I really like the Rails authorization gem CanCan. However, I find myself having multiple conditions on certain privileges, and I'd like to be able to give different error messages to the user, depending on why he or she has been denied access.
Does CanCan have a mechanism for such behavior? I'm having trouble finding it. Would I have to fork it and add that behavior myself?
I don't think you can do it with CanCan straight out of the box. It only really provides a way for saying whether a user can or cannot do something.
I wonder if you could use it in an atypical way though by defining multiple Ability subclasses to check permissions. The default implementation is to create an instance of Ability for the current user and interrogate that.
If you created a collection of Ability subclasses to reflect the different kinds of access you want to check you could then ask each in turn whether the user can or cannot do something. The first to refuse permission would then be used to generate your specific error message.
You'd only really have to create an overarching ability class to combine the collection of Ability subclasses and create that in the current_ability method that CanCan provides to return the ability for the current user. Then, by providing the same can? and cannot? methods on your class it will work in the same way as the normal abilities but you'd be able to extend it to provide a why? method which could identify which Ability subclass refused permission and generate a different error message as a result.
Actually, you'd have to provide a new implementation of authorize! too to make it return the error message you wanted.
Sorry, long answer which is basically - you'd have to do it yourself.