Some options of CanCanCan

Tram Ho


How to install CanCanCan gem is as simple as any other gem

  • gem ‘cancancan’
  • bundle install

Basic usage

Assuming the project already has the basic components. Each user has their own role.

  • User rights are defined in the Ability.rb file
  • To create this file, run: rails g cancan: ability
  • In this file, to allow the user to access the resource, we can use the can function to allow or cannot to disallow it.

  • In the view or in the controller, to check permissions, we use can? or cannot ?.

  • To get the list of records that a user can access, we can use the function:

  • However, in order for CanCanCan to work properly, we need to check user rights for actions in the controller. To do so, we need to add authorize! into each action in each controller. Example in orders_controller.rb:

But doing so is laborious, so CanCanCan has load_and_authorize_resource to support us authorize all actions according to RESTful standards.

  • So, if the user does not have access to the resource, what happens?
  • Then exception CanCan :: AccessDenied will be created and we will handle it in ApplicationController.

So we have already decentralized the user already, followed by some ways to decentralize in some special cases.

Some options

1. Some ways of defining user rights

  • In addition to using RESTful actions to define user rights, we can also define other actions.

    In Ability.rb there are:

Update role in user_controller:

  • Alternatively, you can create action aliases to combine multiple actions into one

  • We can assign more conditions when decentralizing:

2. Separation of Ability

  • Besides using the Ability class to decentralize, we can separate the rights therein for each different class, maybe separated by model, separated by controller.
  • To split the ability, we need to override the current_ability method in application_controller

3. Disregard decentralization

  • To be able to check permissions without having to add the load_and_authorize_resource function to all controllers, add it instead to application_controller.
  • If no controller’s permissions need to be checked, add skip_authorize_resource to that controller.

4. Check decentralization.

  • If a certain controller is omitted when delegating, then you can add check_authorization to the application_controller.
  • And if you want to skip checking on a certain controller then add skip_authorization_check to that controller.

5. Filter params

  • If in actions like create, update there are merely commands to create data without any commands to filter the params, avoiding the risks when the params have bad data, CanCanCan will help us with that.

CanCanCan has 4 ways to filter params and priorities in the following order:

  • Call the params handler function by action name:

  • Call the params handler function by model name:

  • Call resource_params:

  • Call the function to handle any params:


Above are some ways to customize decentralization with CanCanCan. There are many options, but not all options work for our project. Therefore, we need to think carefully, select the options that suit our project to apply. Otherwise, the decentralization will become cumbersome, making our project become slow and may lead to other unnecessary errors.


Chia sẻ bài viết ngay

Nguồn bài viết : Viblo