Home/ Questions/Q 6113027
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:48:42+00:00

I’m using Devise and CanCan to create a backbone.js front-end and Rails 3.0.7 for

  • 0

I’m using Devise and CanCan to create a backbone.js front-end and Rails 3.0.7 for backend.

As soon as I add load_and_authorize_resource to my controller it no longer lets me perform an update and I get no response from the server. If I remove load_and_authorize_resource from my controller, everything works well.

Information from my console:

Started PUT "/pos/13" for 127.0.0.1 at Thu Jul 07 15:06:41 -0700 2011

Processing by PosController#update as JSON

Parameters: {"confirmed"=>nil, "paid"=>nil, "needed"=>Thu, 30 Jun 2011, "amount"=>16, "id"=>"13", "approved"=>1, "user_id"=>1, "vendor_id"=>5}

User Load (0.1ms) SELECT "users".* FROM "users" WHERE "users"."id" = 1 LIMIT 1

Po Load (0.1ms) SELECT "pos".* FROM "pos" WHERE "pos"."id" = 13 LIMIT 1

Role Load (0.1ms) SELECT "roles".* FROM "roles" INNER JOIN "roles_users" ON "roles".id = "roles_users".role_id WHERE "roles"."name" = ‘Admin’ AND ("roles_users".user_id = NULL ) LIMIT 1

The end of the last query: "roles_users".user_id = NULL is never going to return any results and will then not let me update the resource. What could I do to fix this?

Other information:

PosController#update looks like this:

def update
  @po = Po.find(params[:id])
  @po.update_attributes! params
  respond_with @po
end

I’m using roles to manage abilities. My ability.rb looks like:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.role? :admin
      can :manage, :all
    end
  end
end

User.rb contains:

def role?(role)
  return !!self.roles.find_by_name(role.to_s.camelize)
end

Roles are obtained from the UsersHaveAndBelongToManyRoles migration:

class UsersHaveAndBelongToManyRoles < ActiveRecord::Migration
  def self.up
    create_table :roles_users, :id => false do |t|
     t.references :role, :user
    end
  end

  def self.down
    drop_table :roles_users
  end
end

I currently only have one user, and have given this user the role admin. I’ve been able to double check this by using a conditional to not pass any @pos in PosController#index unless current_user.role? :admin.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This may be a problem with Devise losing authentication on AJAX requests, check out this issue for details.

    It looks like current_user that is passed to Ability is nil. Try removing load_and_authorize_resource and ensure that current_user is set correctly in the action.

    If that is not the problem, first make sure user.role? :admin is returning true for that user. Next, try Ability.new(user).can?(:update, Po.find(...)), see Debugging Abilities for details.

    What I don’t understand is why it returns an empty JSON response. CanCan never handles a response directly, it just raises an exception when authorization fails. Are you catching this with rescue_from in your ApplicationController? If so, try removing that to ensure Authorization is actually failing and nothing else is handling the JSON response.

    • 0