CanCan Authorization - YaleSTC/reservations GitHub Wiki

We're using the cancan gem for user authentication. For more in depth information not covered here, see the official CanCan documentation

###Testing User Permissions

In a view or controller test if the current user has a particular permission using either the CanCan function can? or cannot?

eg. if can? :create, User will return true if the current user is authorized to create users, and false otherwise.

You can also give these functions a specific instance of a resource : can? :create, @user will return true only if the current user has permissions to edit this specific @user.

These lines follow the basic format can?|cannot? :action, resource

###Defining User Permissions

User permissions are defined in app/models/ability.rb In it, CanCan automatically calls the current_user function defined in application_controller.rb to the user variable.

A line defining a user permission might look like this:

if user.role == 'admin'
can :manage, Reservation
end

The permission line follows a similar basic format can|cannot :action, resource

:action is typically a route method like :create :update or :destroy. Note that :read is an alias for both :show and :index and that :update is an alias for both :edit and :update. :manage is a catch-all term for any and all action you might wish to test for.

Note that rules written below other rules take precedence. For instance,

can :manage, User
cannot :destroy, User

allows all actions on the User resource except destroy.

You can append hashes to narrow down the scope of resources available. For instance can :create, User, :id=>user.id only permits creating a User with the current user's id.

###Adding authorization to a controller

To add authorization to a controller, add the line load_and_authorize_resource at the beginning of the controller. This will automatically protect all the methods in the resource controller; users will not be able to access those methods unless they are explicitly given permission via ability.rb

If the controller does not have a model associated with it, use `authorize_resource :class => false

###Arbitrary (Non-routed) permissions

Permissions that use routed actions will be automatically dealt with if you set it up as described above. You don't need to to test if the user can show reservations in the reservations controller show method as long as the controller has loaded and authorized the resource.

However, you can also define arbitrary actions such as can :change_login, User. These are not automatically handled by CanCan but you can test for them in views and controllers the same way (via can? :change_login, User)

You can even use an arbitrary symbol instead of a resource (eg, can :override, :reservation_restrictions)