Donnie’s Site
Donnie’s Site
AboutContact
CanCanCan - The authorization Gem for Rails
CanCanCan - The authorization Gem for Rails

CanCanCan - The authorization Gem for Rails

Tags
Ruby on Rails
Published
Published January 20, 2021
Author
 
CanCanCan is an authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.
All permissions can be defined in one or multiple ability files and not duplicated across controllers, views, and database queries, keeping your permissions logic in one place for easy maintenance and testing.
It consists of two main parts:
  1. Authorizations library that allows you to define the rules to access different objects, and provides helpers to check for those permissions.
  1. Rails helpers to simplify the code in Rails Controllers by performing the loading and checking of permissions of models automatically and reduce duplicated code.

Installation

Add this to your Gemfile:
gem 'cancancan'
and run the bundle install command.

Define Abilities

User permissions are defined in an Ability class.
rails g cancan:ability
Here follows an example of rules defined to read a Post model.
class Ability
  include CanCan::Ability

  def initialize(user)
    can :read, Post, public: true

    return unless user.present?  # additional permissions for logged in users (they can read their own posts)
    can :read, Post, user: user

    return unless user.admin?  # additional permissions for administrators
    can :read, Post
  end
end

Check Abilities

The current user's permissions can then be checked using the can? and cannot? methods in views and controllers.
<% if can? :read, @post %>
  <%= link_to "View", @post %>
<% end %>

Fetching records

One of the key features of CanCanCan, compared to other authorization libraries, is the possibility to retrieve all the objects that the user is authorized to access. The following:
@posts = Post.accessible_by(current_ability)
will use your rules to ensure that the user retrieves only a list of posts that can be read.

Controller helpers

The authorize! method in the controller will raise an exception if the user is not able to perform the given action.
def show
  @post = Post.find(params[:id])
  authorize! :read, @post
end
Setting this for every action can be tedious, therefore the load_and_authorize_resource method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before action to load the resource into an instance variable and authorize it for every action.
class PostsController < ApplicationController
  load_and_authorize_resource

  def show
    # @post is already loaded and authorized
  end

  def index
    # @posts is already loaded with all posts the user is authorized to read
  end
end
 
Copyright 2022 Donnie