I have a simple Ability.rb set up listed below:
if user.role? :super_admin
can :manage, :all
elsif user.role? :registered
can :review, [Card, Deck], :visible => true
end
Where the alias :review => :index, :list, :show, :to. Both Card and Deck tables have the visible column with the boolean option. Currently every object in the tables have :visible => false. Therefore, I’m expecting that a user with the registered role will not be able to :review any of the objects, but this is not the case. Restrictions at the controller level works fine (edit and delete are not accessible), but I can’t seem to restrict the viewing of resources using the hash of conditions. Any thoughts?
Edit: I have authorize_resource in the two controllers. Using Ruby 1.9.2, Rails 3.1, and CanCan 1.6.7. I’m using devise 1.4.9 for authentication. MySQL is the database.
Edit:
Well.. I figured out a way to restrict resources based on the conditions. Even though I had authorize_resource in all my controllers (and it worked for restricting access to the methods), I had to add authorize! to the methods that I wanted to restrict the resources to. For example, to restrict the show action for Decks with the condition of :visible => true, I had to add authorize! as such:
def show
@deck = Deck.find(params[:deck_id]
authorize! :review, @deck
end
To be honest, I am not satisfied with this solution, since I don’t see a reason why authorize_resource wouldn’t work. I would love to see an explanation.
Are you calling
in your controller just like that, or are you including a model to authorize?
I discovered that I can replicated your issue if I type something like:
I think the reason the latter doesn’t work because you are asking CanCan to authorize “Deck” arbitrarily, as opposed to authorizing a controller action, which is what you really want to do.