module CanCan::ControllerAdditions

This module is automatically included into all controllers. It also makes the “can?” and “cannot?” methods available to all views.

Public Class Methods

included(base) click to toggle source
# File lib/cancan/controller_additions.rb, line 124
def self.included(base)
  base.extend ClassMethods
  base.helper_method :can?, :cannot?
end

Public Instance Methods

authorize!(action, subject, *args) click to toggle source

Raises a CanCan::AccessDenied exception if the #current_ability cannot perform the given action. This is usually called in a controller action or before filter to perform the authorization.

def show
  @article = Article.find(params[:id])
  authorize! :read, @article
end

A :message option can be passed to specify a different message.

authorize! :read, @article, :message => "Not authorized to read #{@article.name}"

You can rescue from the exception in the controller to customize how unauthorized access is displayed to the user.

class ApplicationController < ActionController::Base
  rescue_from CanCan::AccessDenied do |exception|
    flash[:error] = exception.message
    redirect_to root_url
  end
end

See the CanCan::AccessDenied exception for more details on working with the exception.

See the load_and_authorize_resource method to automatically add the authorize! behavior to the default RESTful actions.

# File lib/cancan/controller_additions.rb, line 156
def authorize!(action, subject, *args)
  message = nil
  if args.last.kind_of?(Hash) && args.last.has_key?(:message)
    message = args.pop[:message]
  end
  raise AccessDenied.new(message, action, subject) if cannot?(action, subject, *args)
end
can?(*args) click to toggle source

Use in the controller or view to check the user's permission for a given action and object.

can? :destroy, @project

You can also pass the class instead of an instance (if you don't have one handy).

<% if can? :create, Project %>
  <%= link_to "New Project", new_project_path %>
<% end %>

This simply calls “can?” on the current_ability. See CanCan::Ability#can?.

# File lib/cancan/controller_additions.rb, line 195
def can?(*args)
  current_ability.can?(*args)
end
cannot?(*args) click to toggle source

Convenience method which works the same as “can?” but returns the opposite value.

cannot? :destroy, @project
# File lib/cancan/controller_additions.rb, line 203
def cannot?(*args)
  current_ability.cannot?(*args)
end
current_ability() click to toggle source

Creates and returns the current user's ability and caches it. If you want to override how the Ability is defined then this is the place. Just define the method in the controller to change behavior.

def current_ability
  # instead of Ability.new(current_user)
  @current_ability ||= UserAbility.new(current_account)
end

Notice it is important to cache the ability object so it is not recreated every time.

# File lib/cancan/controller_additions.rb, line 179
def current_ability
  @current_ability ||= ::Ability.new(current_user)
end
unauthorized!(message = nil) click to toggle source
# File lib/cancan/controller_additions.rb, line 164
def unauthorized!(message = nil)
  raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
end