cancan

Should I skip authorization, with CanCan, of an action that instantiates a resource?

I am writing a web app to pick random lists of cards from larger, complete sets of cards. I have a Card model and a CardSet model. Both models have a full RESTful set of 7 actions (:index, :new, :show, etc). The CardSetsController has an extra action for creating random sets: :random. # app/models/card_set.rb class CardSet < ActiveRe...

One Account with many users authentication in rails

Which approach would you recommend to the following issue: My app needs to have an account with several users inputting tasks on the same account. Only one of the users (the one that opened the account) will have admin privileges. I'm thinking on using Authlogic for authentication and CanCan for determining user privileges. The point is...

Devise DoubleRenderError

Application-Stack: Rails3, CanCan, Devise, Shoulda I've got some nested Resources and want to test them with Shoulda and i get the following DoubleRenderError: Error: test: If anonymous user tries to GET index of fav_blogs should respond with 401. (BlogItemsControllerTest): AbstractController::DoubleRenderError: Render and/or redire...

Different set of Views for different user's roles

I am developing a rails app and I have 2 different user's role: advanced and basic. Instead of to hide links in the basic user's views (a.i. using CanCan ) I want to manage 2 different set of views: one for the advanced user and one for basic user. Currently I am working in this way: case current_operator.op_type when 'basic' ...

Some problems with CanCan

Hi everybody, (sorry for my English ;) I started to use CanCan from rbates, this is awesome gem, but I have some problems: I have Scrap model and there is boolean field :published (so, it means published/not published (draft)). I have this rule in my ability.rb: can :create, [Scrap] can [:update, :destroy], [Scrap] do |object| obj...

Rails cancan authorizing custom controller actions

I have a Deals controller and I have an action called popular. I have added the popular to the routes (as a collection, if it's worth the info) and I want everybody to be able to acess that page. I'm using CanCan and I have this: class Ability include CanCan::Ability def initialize(user) user ||= User.new alias_action [:...

Access CanCan's `can?` method from a model

You can get the current_user's permissions from a view or controller using can? in this fashion: <% if can? :update, @article %> <%= link_to "Edit", edit_article_path(@article) %> <% end %> How can I access this functionality from a model using this syntax: user.can?(:update, @article) ...

Use CanCan to define permissions additively

My application has 2 roles: Editor, and Admin. I want Editors to have some permissions, and Admins to have all editor permissions plus some other permissions. Here is an excerpt from my ability.rb class Ability include CanCan::Ability def initialize(user) if user.is_admin? can :edit, Post end if user.is_editor? ...

Validating with model associations the user's ability using CanCan

I have a TakeAction model that looks like this: class TakeAction < ActiveRecord::Base belongs_to :user has_many :take_action_notes attr_protected :user_id end and a TakeActionNote model that looks like this: class TakeActionNote < ActiveRecord::Base belongs_to :take_action validates_presence_of :note end Using CanCan, I...

What is current_ability in cancan's accessible_by (fetching records)?

In the documentation of cancan it shows how to fetch all accessible records (in http://wiki.github.com/ryanb/cancan/fetching-records) in this way: @articles = Article.accessible_by(current_ability) but what is current_ability? I've tried passing the current user which I'm using for authentication and authorization, but I've got this e...

SQLite3 error when testing Cancan authorizations in Rails3 : no such table: abilities: DELETE FROM "abilities" WHERE 1=1

Hi, I'm having issues when running the default tests in Rails3 beta4 with Cancan (http://github.com/ryanb/cancan). The tests are the plain vanilla auto-generated ones that look like test "the truth" do assert true end Every single test (both unit and functional) yields the following error : ActiveRecord::StatementInvalid: SQLite3::...

Rails - caching and permission based views

Hello, I use CanCan to check user permissions and display or suppress page content conditionally for my users. I want to cache my pages though, and even with fragment caching can't find an elegant solution... for example: cache do # much code if can? # little code else # little code # much code if can? # little cod...

Collection_Select Default Value Not Set

I am having a strange issue with a collection_select I am using in an edit profile view in my rails application. The database IS being updated with the correct value, however the default value is not being selected for the select box when the user goes to edit their profile. I can not get a :include_blank => true or a :prompt => true t...

Using blocks to define abilities in CanCan raises an exception

I am using Ryan Bate's CanCan gem to define abilities and some basic functionality is failing. I have a Product model and Products controller where my index action looks like this: def index @req_host_w_port = request.host_with_port @products = Product.accessible_by(current_ability, :index) end I get an error when I try to ret...

devise+cancan not blocking access to index problem wherer @proj = Proj.all

Hello, I have an app that uses Devise and CanCan. in the config>initializers>Abiliity.rb class Ability include CanCan::Ability def initialize(user) if user.is? :superadmin can :manage, :all elsif user.is? :user can :read, Project do |project| project && project.users.include?(user) end ...

Rails 3, CanCan to limit all query results throughout the app based on User's InstanceID

Hello, I have two tables Users (name, email, password, instance_id, etc...) example: james bond, [email protected], 1 Instance (id, domain) example: 1, abc.com Through out the application I want to make sure James Bond only sees data that is assigned to his instance = 1 So if I have a books table with (name, desc, instance_id), he only ...

Rails: Cucumber forgetting CanCan Authorisations

Hi folks, I'm trying to write up some cucumber tests to ensure cancan permissions are set correctly, and I'm having an odd problem: When I log in through the following code, capybara says I've logged in as expected. However, when I then go to a resource which requires the given login, I get CanCan's "not authorized" message. Capybara p...

Roles that are User<>Project Based

Hello... Currently I'm using Devise & CanCan which allows me to create Users with Roles using a (Roles_Users) table. That's nice, but what I want is to Have Projects in my app and for each project for a user to possibly have a role like (Admin, Viewer, etc) IE, roles are not assigned to users but to users based on what projects the...

Rails Authorization with CanCan Problem

On my rails app I have implemented AuthLogic and CanCan. However when trying to figure out if the user can manage an article (checks if he is owner through the article.user_id) with CanCan I am running into issues. This should be straight forward I don't know what I'm doing wrong. User has_many Articles class Ability include CanCa...

What does this line of Ruby/Rails do?

Can you please walk me through the following line of Ruby/Rails? if user.role? :super_admin To fit my app, I updated it to: if user.role? :admin and that failed, but then I updated it to: if user.role? == 'admin' And it works as intended. Why is that? class Ability include CanCan::Ability def initialize(user) user |...