This works for an authorize! call can [:read,:update], brand but CanCan::AccessDenied is thrown when

Question

Asked: May 18, 20262026-05-18T06:02:15+00:00 2026-05-18T06:02:15+00:00

This works for an authorize! call

can [:read,:update], brand

but CanCan::AccessDenied is thrown when the line in the Ability class is changed to:

can :update, brand

brand is not nil.

If I can :update something, shouldn’t I automatically be able to :read it?

I just want to know if this is by design, or if I am missing something somewhere.

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-18T06:02:16+00:00

Editorial Team

This is by design. There are just few default aliases defined:

def default_alias_actions
  {
    :read => [:index, :show],
    :create => [:new],
    :update => [:edit],
  }
end

So if someone has ‘update’ right then he has ‘edit’ right. This is natural for Rails applications which follow REST style.

However you can define your own aliases very simply.

The Archive Base Latest Questions