Learn about the Cancancan gem in Rails

Tram Ho

1. What is Gem cancancan?

  • Gem cancancan is a decentralized library in ruby ​​and ruby ​​on rails, it limits the resources that a certain user is allowed to access.
  • All permissions are specified in one or more ability files and are not duplicated on controllers, views, and database queries.
  • Makes it easy to maintain and test the logic authorization.

2. Main functions

Includes 2 main functions:

  • The authorizations library allows defining rules for accessing different objects and provides helpers to test those permissions.
  • Rails helpers to simplify the code in the controllers by automatically loading and checking the permissions of the models and reducing duplicate code.

3. Installation

Add to Gemfile:

Then run the following command:

4. Definition of Abilities

User permissions are specified in the Ability class.

Create the Ability class in app / models / ability.rb with the following command:

Example rules for reading a Post model:

Find out more about Defining Abilities .

5. Can? and cannot?

  • Two methods can? and cannot? is used to check the current user’s permissions. We use these two methods in views or controllers. For example:

Learn more about checking abilities .

6. Fetching records – fetch records

  • Cancancan has the ability to access all objects that the user is allowed to access

-> Will use your rules to make sure that the user only retrieves the list of posts that are readable.

Learn more about Fetching records .

7. Controller helpers

7.1 Authorizations

  • Cancancan gives rails an authorize! method authorize! In the controller will throw an exception if the user cannot perform the specified action.
  • For example:

7.2 Loaders

  • The load_and_authorize_resource method is provided to automatically allow all actions in resource controllers of type RESTful (setting it up for sporadic actions).
  • For example:

Learn more about Authorizing Controllers Action .

7.3 Strong parameters

  • You must clean the input before saving the record, in actions like : create and : update
  • For action : update , cancancan will load and authorize the resource but doesn’t automatically change it, so the usual usage is as follows:

  • With the : create action, cancancan will attempt to initialize a new instance with the input cleaned by finding out if your controller has the following methods (in that order):
  1. create_params
  2. <model name>_params (the default convention in rails for naming your method params).
  3. resource_params (common naming method in each controller).

Also, if you want to use a different method to clean custom input, you can use load_and_authorize_resource with optional param_method to specify.

  • You can also use string that will be evaluated in the controller’s context using instance_eval and must contain valid ruby ​​code.

  • Finally, you can also bind param_method to the Proc object that will be called with the controller as a single argument.

Learn more about strong parameters .

8. Handling unauthorized access

  • If the grant of the user fails, the CanCan :: AccessDenied exception will be fired. You can capture and modify its behavior in the controller as shown in the following example:

9. Lock it down

  • If you want to make sure permissions occur on every action in your app, add check_authorization to the ApplicationController.

It will raise an exception if authorization does not occur in an action, to bypass authorization in a particular controller add the skip_authorization_check method to that controller.

Find out more about Ensure Authorizations .

Thank you for watching. Article source: wiki cancancan in rails .

Share the news now

Source : Viblo