Home/ Questions/Q 4101322
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T20:40:55+00:00

I’m relatively new to rails (3), and am building an application, using CanCan, where

  • 0

I’m relatively new to rails (3), and am building an application, using CanCan, where there are 3 tiers of users.

  • Guest – unregistered visitor User
  • registered and logged in visitor
  • Admin – registered and logged in
    visitor with admin flag

My ability is bog-stock right now, copied from cancan docs, basically defining the guest role and the admin role

class Ability

    include CanCan::Ability

    def initialize(user)
        user ||= User.new # Guest user

        if user.is_admin?
            can :manage, :all
        else
            can :read, [Asana,Image,User,Video,Sequence]
        end
    end

end

I’m looking to add in the user role. Since I’m creating that throwaway user model, I thought about using new_record? to determine if the user is logged in or not. Something like:

class Ability

    include CanCan::Ability

    def initialize(user)
        user ||= User.new # Guest user

        if !user.new_record? and user.is_admin?
            can :manage, :all
        elsif !user.new_record? and !user.is_admin?
            can {registered user-y permissions}
        else
            can :read, [Asana,Image,User,Video,Sequence]
        end
    end

end

But, it just doesn’t feel right. Seems kind of disassociated from, like, actual logged-in-ed-ness, and have concerns about whether its actually secure.

Looking for advice on a more elegant way to doing this.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Good question, I use a lower to higher permissions approach:

    class Ability  
  include CanCan::Ability  

  def initialize(user)
    # Guest User 
    unless user 
      can :read, [Asana,Image,User,Video,Sequence]
    else
      # All registered users
      can {registered user-y permissions}
      # Admins 
      if user.is_admin?
        can :manage, :all
      end
    end 
  end  
end

    This way if tomorrow you have other roles to integrate you can do it adding a case statement like so:

    class Ability  
  include CanCan::Ability  

  def initialize(user)
    # Guest User 
    unless user 
      can :read, [Asana,Image,User,Video,Sequence]
    else
      # All registered users
      can {registered user-y permissions}
      # Different roles
      case user.role
      when 'admin'
        can :manage, :all
      when 'manager'
        can :manage, [Video, Image, Sequence]
      end
    end 
  end  
end
    • 0