Module: CanCan::Ability
- Included in:
- Ability
- Defined in:
- lib/cancan/ability.rb,
lib/cancan/ability/rules.rb,
lib/cancan/ability/actions.rb
Overview
This module is designed to be included into an Ability class. This will provide the “can” methods for defining and checking abilities.
class Ability
include CanCan::Ability
def initialize(user)
if user.admin?
can :manage, :all
else
can :read, :all
end
end
end
Defined Under Namespace
Instance Method Summary collapse
- #attributes_for(action, subject) ⇒ Object
-
#authorize!(action, subject, *args) ⇒ Object
See ControllerAdditions#authorize! for documentation.
-
#can(action = nil, subject = nil, conditions = nil, &block) ⇒ Object
Defines which abilities are allowed using two arguments.
-
#can?(action, subject, *extra_args) ⇒ Boolean
Check if the user has permission to perform a given action on an object.
-
#cannot(action = nil, subject = nil, conditions = nil, &block) ⇒ Object
Defines an ability which cannot be done.
-
#cannot?(*args) ⇒ Boolean
Convenience method which works the same as “can?” but returns the opposite value.
- #extract_rule_in_permissions(permissions_list, rule) ⇒ Object
- #has_block?(action, subject) ⇒ Boolean
- #has_raw_sql?(action, subject) ⇒ Boolean
-
#merge(ability) ⇒ Object
Copies all rules of the given
CanCan::Ability
and adds them toself
. - #model_adapter(model_class, action) ⇒ Object
-
#permissions ⇒ Object
Return a hash of permissions for the user in the format of: { can: can_hash, cannot: cannot_hash }.
- #unauthorized_message(action, subject) ⇒ Object
-
#validate_target(target) ⇒ Object
User shouldn’t specify targets with names of real actions or it will cause Seg fault.
Methods included from Actions
#alias_action, #aliased_actions, #clear_aliased_actions
Instance Method Details
#attributes_for(action, subject) ⇒ Object
189 190 191 192 193 194 195 |
# File 'lib/cancan/ability.rb', line 189 def attributes_for(action, subject) attributes = {} relevant_rules(action, subject).map do |rule| attributes.merge!(rule.attributes_from_conditions) if rule.base_behavior end attributes end |
#authorize!(action, subject, *args) ⇒ Object
See ControllerAdditions#authorize! for documentation.
169 170 171 172 173 174 175 176 177 178 179 |
# File 'lib/cancan/ability.rb', line 169 def (action, subject, *args) = nil if args.last.is_a?(Hash) && args.last.key?(:message) = args.pop[:message] end if cannot?(action, subject, *args) ||= (action, subject) raise AccessDenied.new(, action, subject, args) end subject end |
#can(action = nil, subject = nil, conditions = nil, &block) ⇒ Object
Defines which abilities are allowed using two arguments. The first one is the action you’re setting the permission for, the second one is the class of object you’re setting it on.
can :update, Article
You can pass an array for either of these parameters to match any one. Here the user has the ability to update or destroy both articles and comments.
can [:update, :destroy], [Article, Comment]
You can pass :all to match any object and :manage to match any action. Here are some examples.
can :manage, :all
can :update, :all
can :manage, Project
You can pass a hash of conditions as the third argument. Here the user can only see active projects which he owns.
can :read, Project, :active => true, :user_id => user.id
See ActiveRecordAdditions#accessible_by for how to use this in database queries. These conditions are also used for initial attributes when building a record in ControllerAdditions#load_resource.
If the conditions hash does not give you enough control over defining abilities, you can use a block along with any Ruby code you want.
can :update, Project do |project|
project.groups.include?(user.group)
end
If the block returns true then the user has that :update ability for that project, otherwise he will be denied access. The downside to using a block is that it cannot be used to generate conditions for database queries.
You can pass custom objects into this “can” method, this is usually done with a symbol and is useful if a class isn’t available to define permissions on.
can :read, :stats
can? :read, :stats # => true
IMPORTANT: Neither a hash of conditions nor a block will be used when checking permission on a class.
can :update, Project, :priority => 3
can? :update, Project # => true
If you pass no arguments to can
, the action, class, and object will be passed to the block and the block will always be executed. This allows you to override the full behavior if the permissions are defined in an external source such as the database.
can do |action, object_class, object|
# check the database and return true/false
end
137 138 139 |
# File 'lib/cancan/ability.rb', line 137 def can(action = nil, subject = nil, conditions = nil, &block) add_rule(Rule.new(true, action, subject, conditions, block)) end |
#can?(action, subject, *extra_args) ⇒ Boolean
Check if the user has permission to perform a given action on an object.
can? :destroy, @project
You can also pass the class instead of an instance (if you don’t have one handy).
can? :create, Project
Nested resources can be passed through a hash, this way conditions which are dependent upon the association will work when using a class.
can? :create, @category => Project
You can also pass multiple objects to check. You only need to pass a hash following the pattern { :any => [many subjects] }. The behaviour is check if there is a permission on any of the given objects.
can? :create, {:any => [Project, Rule]}
Any additional arguments will be passed into the “can” block definition. This can be used to pass more information about the user’s request for example.
can? :create, Project, request.remote_ip
can :create, Project do |project, remote_ip|
# ...
end
Not only can you use the can? method in the controller and view (see ControllerAdditions), but you can also call it directly on an ability instance.
ability.can? :destroy, @project
This makes testing a user’s abilities very easy.
def test "user can only destroy projects which he owns"
user = User.new
ability = Ability.new(user)
assert ability.can?(:destroy, Project.new(:user => user))
assert ability.cannot?(:destroy, Project.new)
end
Also see the RSpec Matchers to aid in testing.
67 68 69 70 71 72 73 74 |
# File 'lib/cancan/ability.rb', line 67 def can?(action, subject, *extra_args) match = extract_subjects(subject).lazy.map do |a_subject| relevant_rules_for_match(action, a_subject).detect do |rule| rule.matches_conditions?(action, a_subject, extra_args) end end.reject(&:nil?).first match ? match.base_behavior : false end |
#cannot(action = nil, subject = nil, conditions = nil, &block) ⇒ Object
Defines an ability which cannot be done. Accepts the same arguments as “can”.
can :read, :all
cannot :read, Comment
A block can be passed just like “can”, however if the logic is complex it is recommended to use the “can” method.
cannot :read, Product do |product|
product.invisible?
end
153 154 155 |
# File 'lib/cancan/ability.rb', line 153 def cannot(action = nil, subject = nil, conditions = nil, &block) add_rule(Rule.new(false, action, subject, conditions, block)) end |
#cannot?(*args) ⇒ Boolean
Convenience method which works the same as “can?” but returns the opposite value.
cannot? :destroy, @project
80 81 82 |
# File 'lib/cancan/ability.rb', line 80 def cannot?(*args) !can?(*args) end |
#extract_rule_in_permissions(permissions_list, rule) ⇒ Object
250 251 252 253 254 255 256 |
# File 'lib/cancan/ability.rb', line 250 def (, rule) (rule.actions).each do |action| container = rule.base_behavior ? :can : :cannot [container][action] ||= [] [container][action] += rule.subjects.map(&:to_s) end end |
#has_block?(action, subject) ⇒ Boolean
197 198 199 |
# File 'lib/cancan/ability.rb', line 197 def has_block?(action, subject) relevant_rules(action, subject).any?(&:only_block?) end |
#has_raw_sql?(action, subject) ⇒ Boolean
201 202 203 |
# File 'lib/cancan/ability.rb', line 201 def has_raw_sql?(action, subject) relevant_rules(action, subject).any?(&:only_raw_sql?) end |
#merge(ability) ⇒ Object
Copies all rules of the given CanCan::Ability
and adds them to self
.
class ReadAbility
include CanCan::Ability
def initialize
can :read, User
end
end
class WritingAbility
include CanCan::Ability
def initialize
can :edit, User
end
end
read_ability = ReadAbility.new
read_ability.can? :edit, User.new #=> false
read_ability.merge(WritingAbility.new)
read_ability.can? :edit, User.new #=> true
227 228 229 230 231 232 |
# File 'lib/cancan/ability.rb', line 227 def merge(ability) ability.rules.each do |rule| add_rule(rule.dup) end self end |
#model_adapter(model_class, action) ⇒ Object
163 164 165 166 |
# File 'lib/cancan/ability.rb', line 163 def model_adapter(model_class, action) adapter_class = ModelAdapters::AbstractAdapter.adapter_class(model_class) adapter_class.new(model_class, relevant_rules_for_query(action, model_class)) end |
#permissions ⇒ Object
Return a hash of permissions for the user in the format of:
{
can: can_hash,
cannot: cannot_hash
}
Where can_hash and cannot_hash are formatted thusly:
{
action: array_of_objects
}
244 245 246 247 248 |
# File 'lib/cancan/ability.rb', line 244 def = { can: {}, cannot: {} } rules.each { |rule| (, rule) } end |
#unauthorized_message(action, subject) ⇒ Object
181 182 183 184 185 186 187 |
# File 'lib/cancan/ability.rb', line 181 def (action, subject) keys = (action, subject) variables = { action: action.to_s } variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.underscore.humanize.downcase = I18n.translate(keys.shift, variables.merge(scope: :unauthorized, default: keys + [''])) .blank? ? nil : end |
#validate_target(target) ⇒ Object
User shouldn’t specify targets with names of real actions or it will cause Seg fault
158 159 160 161 |
# File 'lib/cancan/ability.rb', line 158 def validate_target(target) = "You can't specify target (#{target}) as alias because it is real action name" raise Error, if aliased_actions.values.flatten.include? target end |