ruby-on-rails-4,devise,activeadmin,infinite-loop,cancancan
You are not using the user object inside the initialize method in ability.rb anywhere. def initialize(user) user ||= User.new if user.admin? can :manage, :all can :read, ActiveAdmin::Page, :name => "Dashboard" end if user.customer? can :read, [:index], HomeController cannot :read, ActiveAdmin::Page, :name => "Dashboard" end if user.supplier? can :read, [:index], HomeController...
ruby-on-rails,authorization,cancan,cancancan
CanCan blocks only work on model instances (see this wiki page) and right now your can? sends the model class, not an instance. In order for this to work, you need to pass an instance of Membership. You can do something like this (assuming @group is the group the user...
ruby-on-rails,devise,cancan,cancancan
For simplicity, you could add an admin boolean column on the users table. You would check for an admin user with user.admin?. Here is what the migration will look like. > rails g migration add_admin_to_users In your migration file, I would set a default value to false prior to running...
devise,ruby-on-rails-4.1,ruby-2.1,cancancan
# config/initializers/admin.rb class CanAccessResque def self.matches?(request) current_user = request.env['warden'].user return false if current_user.blank? Ability.new(current_user).can? :manage, Resque end end # routes.rb namespace :admin do constraints CanAccessResque do mount Resque::Server, at: 'resque' end end # ability.rb class Ability include CanCan::Ability def initialize(user) user ||= User.new if user.is_admin? can :manage, Resque end end...
ruby-on-rails,ruby-on-rails-4,authorization,cancancan
Change the object name used for pagination . def getAssignments @assignments = Assignment.all if (@assignments != nil && @assignments.length > 0) then @assignment = @assignments.paginate(:per_page => 5, :page => params[:page]) end end and in your view like this <% if @assignment != nil then%> <%= will_paginate @assignment, :class => @paginationClass.to_s,...
ruby-on-rails,activeadmin,ruby-on-rails-4.1,cancancan
can :manage, User already includes all custom actions. So, both your roles can perform both custom actions. You can describe only crud actions: can %i(create read update delete), User instead can :manage, User for both roles....
ruby-on-rails,nesting,cancancan
if user can :crud, Parameter, meter: { account_id: user.account_id } end ...
ruby-on-rails,authorization,cancancan
Cancancan lets you only define permissions for given context. This context might be a user role which is not a part of cancancan and hence roles have to be defined by yourself. There are various ways to define user role, e.g. as a Role model, Rails enum, as suggested here,...
ruby-on-rails,ruby-on-rails-3,devise,cancancan
When the session times out, the value of flash[:alert] is set to :timeout, which by default is defined in config/locales/devise.en.yml. So instead of reading the message from exception, try reading from flash[:alert] and make your app react accordingly. For example, this is the code I use in my apps: rescue_from...
ruby-on-rails,ruby-on-rails-3,rspec,cancan,cancancan
I have no idea why but I've refactored my tests and they now work as expected. Maybe this'll help someone. RSpec.describe User do describe 'Abilities' do context 'guest' do let(:user) { create(:user, state: 'guest') } (client_made_resources + administrator_resources).each do |r| it "cannot manage #{r}" do ability = Ability.new(user) assert ability.cannot?(:manage,...
ruby-on-rails,ruby,authorization,cancan,cancancan
can :edit, Appointment, office_id: employee.office_ids ...
ruby-on-rails,ruby,ruby-on-rails-4,rubygems,cancancan
I could solve my problem by updating Cancancan from 1.9.2 to actual 1.10.1 and compare my engine with the one from this post: https://github.com/CanCanCommunity/cancancan/issues/151#issuecomment-69487040
ruby-on-rails,vanity-url,cancancan
I figured it out; adding find_by: :slug to the load_and_authorize_resource did exactly what I was looking for. load_and_authorize_resource only: [:dashBoard], find_by: :slug ...
ruby-on-rails,ruby-on-rails-4.2,cancancan,ruby-2.2
You need to declare a can rule to actually allow users to :filter. can :filter, Article do |article| !user.client? end Or unless user.client? can :filter, Article end An example of using cannot: can :friend, User cannot :friend, User do |other_user| other_user.blocks?(user) end ...
ruby-on-rails,cancan,cancancan
Just found the solution, which is quite simple: can :read, Car, :car_pool => { :users => { :id => user.id } } can :create, CarPickup, :car => { :car_pool => { :users => { :id => user.id } } # Add this line in order for it to work when...
ruby-on-rails-4,devise,cancan,rolify,cancancan
It turns out that the issue was with the way I authorized my Newsroom Controller - because Newsroom was a non-restful controller (i.e. there was no model associated with Newsroom. I had to add this to the top of my controller: authorize_resource :class => false As specified here: https://github.com/CanCanCommunity/cancancan/wiki/Non-RESTful-Controllers#alternative-authorize_resource...
ruby-on-rails,devise,cancan,cancancan
I would say single model with permissions. I made a detailed response on how to approach this here: Setting up different User models and registration paths for Devise on Ruby on Rails...
ruby-on-rails,ruby-on-rails-4,cancan,cancancan
For what it's worth, I had to setup my NewsroomController like this: class NewsroomController < ApplicationController authorize_resource :class => false This is what the working version of my ability.rb looks like after I got it to work with the permissions I needed: #Roles #Admin if user.has_role? :admin can :manage, :all...
ruby-on-rails,ruby,devise,cancancan
So you have to define authorization manually for your index action. load_and_authorize_resource skip_load_and_authorize_resource :only => [:getProjectId, :getResult, :index] def index @projects = Project.find_by_sql("SELECT project_id, project_name FROM projects WHERE company_id = "+ current_dashboard_user.company_id.to_s + " ORDER BY project_name") authorize! :read, @projects getProjectId getResult #get search result authorize! :read, @assessments respond_to do...
ruby-on-rails,ruby,devise,cancan,cancancan
Okey, just do this trick for now. Somehow the current_user helper method is being called. So the quickest solution would be if you can do the following. In your application_controller.rb file put this block: def current_user current_dashboard_user end # method_alias :current_user=, current_user # you may need this line if required....
ruby-on-rails,rails-routing,minitest,cancancan
Take a look at the stack trace for this exception: SubscriptionsControllerTest#test_admin_can_not_view_subscriptions_that_don't_exist: ActionView::Template::Error: No route matches {:action=>"edit", :controller=>"subscriptions", :id=>nil} missing required keys: [:id] app/views/subscriptions/show.html.erb:13:in `_app_views_subscriptions_show_html_erb__1518678276755260966_70268849069860' test/controllers/subscriptions_controller_test.rb:58:in `block (2 levels) in <class:SubscriptionsControllerTest>'...
ruby-on-rails,rails-activerecord,cancancan
Remove the attr_accessor for role, it's shielding the role attribute generated by AR automatically.
ruby-on-rails,activeadmin,cancan,cancancan
Try this: can :read, Invoice, :user => { :id => adminuser.user.id }