I've been using CanCan on my latest project, with our easy_roles gem doing the user side role storage.
easy_roles supports bitmask storage and serialize.
Check it out at http://github.com/platform45/easy_roles
CanCan + easy_roles = Complete roles based authorization!
CanCan is a simple authorization plugin that offers a lot "off" flexibility.
There's an extra F there =)
I have not yet had a chance to try CanCan but would it be fair to say that guest users can edit one another's comments as CanCan sees all guests simply as User.new?
I always sucked at trying to implement my own authorisation code, and wanted something that looked like this but never managed to get there. Saves a lot of trouble!
this is so smart!
To make it even more powerful you can add these actions to nifty_scaffold & nifty_authenticate so you have a full authenticated application.. in seconds.. :)
thanks again!
Hello Ryan!
Great screencast and great plugin you gave us this week!!
Thanks a lot!
Luciano
>Keep the "authentication-casts" coming
>have a full authenticated application
Say it with me: "Authorization"
NOT authentication.
Thanks Ryan, both for another wonderful screencast and for your new authorization plugin. I like the expressiveness it gives to the code.
Hey Ryan,
CanCan looks fantastic. Nice job! I love how simple and declarative it is. Thanks for taking the time to write something like this up.
@Jamie, Felipe, Stephen, thanks! Fixed. :)
@Nicholas, no, since the the comment.user will be nil for guests and therefore not match User.new.
Thanks for one of the reasons that mondays are nice!
:)
Keep up the good work, really appreciate it! It's the only screencast that I follow.
Now I'll see if I can use CanCan on one project I'm working on...
btw, does anyone know where I can buy some wierd boots? :p
Spammers makes me reevaluate the death penalty...
Thanks for one of the reasons that mondays are nice!
:)
Keep up the good work, really appreciate it! It's the only screencast that I follow.
Now I'll see if I can use CanCan on one project I'm working on...
btw, does anyone know where I can buy some wierd boots? :p
Spammers makes me reevaluate the death penalty...
It looks very nice but i am wondering how you can hide parts of the page which are not bind to an action, like a formfield or an extra navigation?
Looking forward to see the forks on github which will have the canHas? wrapper around the can? method. :)))
Anyway, good job and I like the simplicity which this implementation provides.
Great work as always Ryan!
I was wondering how would I implement something like this with accounts? I have many sub-domains (accounts) and a user can be a manager in one account and a rep in the other. Is there a way to send in Initialze(user, account)?
Thanks!
I second @Anlek's comment. I have the exact same issue.
GREAT Screencast once again!
I'm snapping my fingers but I cannot get TextMate to write code for me. Ryan, how the hell do you do it? :)
For God's sakes, man, do something about your Github inbox. 208 unread messages? That ain't right.
This is great, I was looking for something like this and just found it..
Thanks for making it simple and straight
This is great! I'm pretty new to rails, but you make your presentations so clear and easy to understand. Such a task could be pretty hefty if your not used to some of the ideas you explain in this article but this code makes it seem so simple. Thanks!!
Someone can tell me if something like this in rails?
RBAC paradigm [2]
[1] http://nomadblue.com/projects/django-rbac/
[2] http://en.wikipedia.org/wiki/Role-based_access_control
I like the way you do this : Tap ! VOILA !
RailsCasts is getting better and better!
I'm wondering if there's a way to do dynamics role from the website. For example as an owner of my company I want to create and give access to my finance manager to manage all of my employees' salaries. Not from the code or constant, but dynamically from a website.
Very nicely done Ryan. I truly appreciate all the hard work you put into this website for us. Thank you!
Wow, the Ability class looks complicated! ... and that's only three roles! I dread what it would look like with more roles.
I'm also afraid that removing all that instantiating from the Controller code would be confusing for other developers who look at my code.
Okay, you made me fall in love with Declarative Authorization, and I got it working. So I have three questions about CanCan.
1.) It strikes me that CanCan is very similar to DA. What are the key 2 differences between CanCan and DA? What does 'heavy' mean?
2.) You showed us two controllers: comments & articles. I would love to see the users controller and see if you are able to use the current_user method there. I had to turn off the auto-model-loading functionality in my user controller when using DA.
3.) In comment 29 of episode 188 Jochen Kempf shared a way to 'control non-action related content'. Does CanCan have a solution for this?
Hi Ryan!
Thanks for doing a screencast on this. I haven't had the time to dig deep into CanCan but from what I saw earlier it seemed very nice. Now, after watching this video it will definitely be my main authorization tool! I really like it's simplicity, productivity and approach to handling authorization.
I tried it out and it works fantastic. I have one question though. I noticed the ability.rb file could become quite long, depending on the amount of roles and models you want to authorize. Do you have any recommendation (or would you not recommend it) to put each "role" in it's own file? Like maybe: lib/roles/user.rb moderator.rb admin.rb etc. and then load them in? If you would separate them, how would you organize this? (just looking for some conventions) ;)
Thanks again.
I am looking forward to using this in my future applications!
Thx I've just used it in one project, works great. Looks like I'll used it always.
hi ryan,
first thanks for the cancan.
question, in your example there are multiple blogs/subdomains, can i set up cancan where a user can have different roles depending on the group/blog/subdomain he/she is a member of?
to brute force this, i would have a user, group, and groupmembership table where groupmembership table would contain user_id, group_id, and role_id. can cancan make this easier?
thanks!
What I want to know is if the action name is "update_article" instead of "update", the following code can still work?
<% if can? :update_article, @article %>
<%= link_to "Edit", edit_article_path(@article) %>
<% end %>
If you're hating to comment spam here as much as I am please go to http://feedback.railscasts.com/pages/77-episode-suggestions/suggestions/425108-show-how-to-implement-an-svm-to-eliminate-comment-spam and vote for Ryan to add an SVM to Railscasts.com to identify and eliminate spam.
I like the idea of declarative authorization and I plan to implement it on my front-end application. However I feel that CanCan makes one incorrect and oversimplifying assumption: that (for example) the :update action applied to an object in one controller is the same as :update applied via a different controller.
Of course I am talking about the case of MyObjectsController vrs Admin::MyObjectsController.
I am sold on using separate Admin:: controllers due to vast differences in the interface for admin/non-admin usage. That leaves me needing to authorize actions based not just on the model and user (as CanCan seems to do,) but also on what controller is selected.
Am I missing something? Have I overlooked a simple way to use CanCan's ability definitions to limit actions by controller?
Great plugin! However, I am having trouble using it on a controller without a companion model. For instance, I have a Calendar controller that builds and displays a calendar but there is not Calendar model for CanCan to lock onto. So I'm getting a "uninitialized constant" error when it tries to create a Calendar model.
I realize that I should probably not be calling "load_and_authorize_resource" but I'm not sure how else to get CanCan to secure the controller. Any tips on using CanCan without a model?
Re: my previous post ( RnR Tom Dec 22, 2009 at 17:41)
A simple solution is available at:
http://wiki.github.com/ryanb/cancan/authorization-for-namespaced-controllers
Woooo that's THE plugin 2009 ! ;) I love it.
I facing a small problem (for me).
In my UserController I have load_and_authorize_resource and
def edit
@user = current_user
end
And of course I get a exception when a non authenticate user try to access to /users/:id/edit because it's trying to load the user in load_and_authorize_resource.
So where is my mistake ? :S
Is it not possible to check the right before loading the ressources into load_and_authorize_resource ?
Cancan is so great and fast to implement !!! :)
Thanks
Good work, for some reason a lot of my interest is shared on this site. For this article, great plugin!
AccessControl all the way.
http://github.com/Adman65/AccessControl
I get undefined method `can?' for #<ActionView::Base:0x56ab314> in the my contoller. What's wrong?
Lets say i have the article model like in the example and i want that every user is only able to see his own articles and admins can see all articles. How would i do that with cancan ?
I got some problems using cancan.
Its working ok, but after ive installed the gems, this is the output of my rake gems:install:
sudo rake gems:install
(in /Users/tscolari/Projetos/skeleton)
rake aborted!
uninitialized constant ApplicationController::CanCan
(See full trace by running task with --trace)
First of all, great plugin Ryan! I have a question (probably too simple): I used the :nested option for nested resources, now how do I get the instances of those resources in my Ability class, specifically for the block:
can :action, Model do |model| ...
great plugin Ryan, during evaluation of it I have created an advanced structure for rights management (have a look at http://niczsoft.com/2010/01/complex-associations-in-rails-activerecord/) and there I have a problem with deep nesting and activerecord, maybe complex associations might be covered by one of next railscasts ?
This is really smart! Great plugin. Love this site, for some reason a lot of my interest is shared on this site.
Ryan, thanks a lot for this. Another brilliant episode.
very nice gem ryan, well done. However, does the gem now supports nested roles e.g. being able to declare one role as part of another role? This would be useful for situations like you a reader_guest, and an editor_guest; the editor_guest can then 'contain' the reader_guest.
Declarative auth supports this; but cancan is so much simpler. Thanks again
I know there are many "authentication" plugins and gems, but it would be just GREAT if you add all of "needed" basic gems to your one-stop nifty generators!
1. authentication w/ full functionalities
2. layout w/ decent style(s)
Thanks!!!!
once CanCan is added to a project,
there are problems with my user edit link.
<%= link_to "Edit Profile", edit_user_path (:current) %>
error
Couldn't find User with ID=current
Anybody know any fix's?
cannot :index, User
why does this block all users
if I have added
can :manage, :all if user.role == "admin"
Admin user should be able to view index, right?
http://stackoverflow.com/users/283179
Hi Ryan,
Thanks again for the great screencast! Question about the Ability class, you are doing a check for role?, but what if there's a many to many user-role relationship? Does cancan know to check all the roles? or should Ability.rb be updated to user.roles?
I keep getting undefined method `role?' for #<User:0x1032be9a0>
my guess is it's because the user has many roles so user.role? really should be user.roles?, but that doesn't work either.
I'm going to dig into the cancan code and see what i can dig up.
Thanks,
John
Hey Ryan,
Nevermind that last comment. i figured what was going on.
Thanks again, your railscasts are a life saver.
John
Ryan, why does the method "load_resource" is called from the method "load_and_authorize_resource" in the "resource_authorization.rb" file?
It was causing me some problems when I try to call a controller without a model like ApplicationController or when I use it to manage a model within an other controller, so I tried to take it out and everything seems to work.
Thanks.
Very very useful plugin!!!
Only one thing I've found...
I got this error:
wrong number of arguments (1 for 0)
app/models/ability.rb:6:in `role?'
app/models/ability.rb:6:in `initialize'
ability.rb (line 6):
if user.role? :admin
user.rb:
def role?
roles.include? role.to_s
end
So the error seems to be in user.rb but no luck :(
Could you help me or say me what's wrong?
Thanks a lot!!!!!
Great, but what about Aegis?
http://github.com/makandra/aegis
It seems to have put all the pieces together in a very practical way also...
Excellent, really great plug-in! This is very useful. Like most of the topics here, so I am one of the followers from now. Keep up the work!
i have done everything in this tutorial up to adding the load_and_authorize_resource line to my controller, which causes this error:
undefined local variable or method `load_and_authorize_resource' for GameController:Class
if i only include CanCan in my ability.rb file then I don't see how it is included into the app unless I include the ability.rb file or tell it to load somewhere
Great plugin! One question: how can it be applied to a controller that have no model?
OK, I figured it out: Let say I have a modeless controller, "MymodelessController" with some_action action. 1. In MymodelessController class use instead of load_and_authorize_resource ,
authorize_resource :resource => :mymodeless
2. in ability.rb refer to it as: if user.role?(:power_user) can :some_action, :mymodeless Thanks Ryan, indeed, a great plugin!!!
Your post was not only nice but informative too. Your skills are good and your concepts are clear.
very helpful article ...
just what I needed...
and by the way railscasts Blog is great! keep it up I'll definitely come back!
Such a different article, a very new topic being raised.
I often like to read such informative post, keep posting, its good.
Hi..Your post is amazing. From long time I search for this information. But I didn’t get right thing. Thanks to you I got stuff which I am looking for. I would like to read more from you.
Your post is rocking and knowledgeable... I really appreciate the way you write . I would like to read more from you.
Great article! I really love the second paragraph, I know exactly what you mean! This site is great thanks again!
Corey
Hi, Keep up the good work its nice to see a blog that stands out from the rest, this was a very informative read and as now been added to my favourites!!
Great, plug-in/gem, Ryan.
Now, is it just me, or is the matching_can_definition() method in the Ability module doing the wrong thing by traversing the rules in reverse order?
I mean, shouldn't it traverse the can definitions in the order they were declared in the Ability#initialize method?
Hey Ryan,
Thanks.I'm always in the market for new and interesting plugins. This one looks excellent. Give you some feedback later
I'm always looking out for cool new plugins so this should be very useful.
I was actually looking for this resource a few weeks back. Thanks for sharing with us your wisdom.This will absolutely going to help me in my projects .
This is a very good blog. I appreciate very much this text, thank you, let me know so I have moved the article.
Glad I ran into this blog. Hope you don't mind if
I tweet this... my followers would find it useful.
p.s. How often do you update your post.
I'll check back for your answer.
Hi Ryan,
Actually the counter of comments seems to be wrong.
It says me that this episode has 11 comments but the right number of comments are 80.
Great screen cast but I agree with the other guys about the database design being bad. Definitely fine for really simple purposes, but it's not scalable. I wrote a post on how to set up Devise and CanCan, while implementing the typical User HABTM Role relationship. Would love everyone's feedback. Here is the link - http://www.tonyamoyal.com/2010/07/28/rails-authentication-with-devise-and-cancan-customizing-devise-controllers/
Thanks Ryan for providing this nice plugin! Wish I could code as well as you..
Thanks Ryan for providing this nice plugin! Wish I could code as well as you..
HI
Thanks for the great plugin, i have watched the vedio and i have tried to use cancan but i keep getting a "wrong number of arguments (1 for 0)" when i try to use the can? or load_and_authorize_resource
what could be the problem? i used them the same way you did.
The plugins are really worth trying! Thanks for sharing the video.
Might have been useful to show that you can use the "authorize_resource" filter instead of "load_and_auth..". For my particular app I needed to be in control of the loading and it was only after monkey-patching it that I browsed the gem code and saw that I could use the other filter. Lovely gem, made my life easy.
As a new blogger I'm always looking for interesting articles that my readers may want. Thanks for this info it helps with my research
Nice gem, Ryan. Simple to use and allows plain ol' Ruby in the access rules. Reminds me a lot of the Aegis gem from Makandra.
Sometimes I prefer to return the proper 403 HTTP code instead of redirecting to the homepage. Here's how, if others want to:
1. Create a public/403.html file
2. Replace the rescue_from statement in ApplicationController with:
rescue_from CanCan::AccessDenied do |exception|
render :file => "#{RAILS_ROOT}/public/403.html", :status => 403
end
This is one of the best posts that I’ve ever seen; you may include some more ideas in the same theme. I’m still waiting for some interesting thoughts from your side in your next post.
its really interesting to read this post,i read it completely now i interested to know more about it so hope you may add more information in your next post.i will enjoy that too.
Its an amazing post, the information you delivered that is awesome would wait for your next such informative and interesting post.
Hi Ryan, nice work but i need the permission logic in the database, i can't figured out how to make the models (rol and permission). You can help me?
Thanx
That is an awfully astounding column you've posted.Thanks a lot for that a fantastically amazing post!
love converse all star,love yourself.High quality low price.It's fit for you.
used exercise bikes fitness equipment that still popular as an exercise option at home.
Thank you for another essential article. Thanks for the article. I'm a complete newb to everything including Ruby but was able to follow along and where it differed from the current version of cucumber or Ruby it actually forced me how to find the info myself.
Some times, to a certain need, we have to convert PDF to image for enjoyment.
Discount Wholesale Electronics, Wholesale Cell Phones, Electronic Gadgets and More from the Best Dropship Wholesaler
and wanted something that looked like this but never managed to get there. Saves a lot of trouble!
Thanks for sharing your article. I really enjoyed it. I put a link to my site to here so other people can read it. My readers have about the same interets
Thanks for sharing your article. I really enjoyed it. I put a link to my site to here so other people can read it. My readers have about the same interets
Thanks for the CanCan plugin, will definitely give it a try soon enough
CanCan is a simple authorization plugin that offers a lot "off" flexibility.
Well, the post is in reality the freshest on this noteworthy topic. I harmonize with your conclusions and will thirstily look forward to your future updates. Saying thanks will not just be sufficient, for the exceptional lucidity in your writing
on iTunes
