smallseo.info

cancan

Authorization Gem for Ruby on Rails.

Cancan accessible_by

What exactly is happening when I do:

@patient.course_enrollments.accessible_by(current_ability)

What seems to happen is I get course_enrollments where course.client_id = user.client.id, I just don't understand how accessible_by works.

# ability.rb
can :manage, CourseEnrollment, :course => {:client_id => user.client.id}

Source: (StackOverflow)

How to do integration testing with RSpec and Devise/CanCan?

If I have a Devise model User, of which only those users with role :admin are allowed to view a certain url, how can I write an RSpec integration test to check that the status returns 200 for that url?

def login(user)
  post user_session_path, :email => user.email, :password => 'password'
end

This was pseudo-suggested in the answer to this question: Stubbing authentication in request spec, but I can't for the life of me get it to work with devise. CanCan is receiving a nil User when checking Ability, which doesn't have the correct permissions, naturally.

There's no access to the controller in integration specs, so I can't stub current_user, but I'd like to do something like this.

describe "GET /users" do
  it "should be able to get" do
    clear_users_and_add_admin #does what it says...
    login(admin)
    get users_path
    response.status.should be(200)
  end
end

NOTE!!!: all this has changed since the question was asked. The current best way to do this is here: http://github.com/plataformatec/devise/wiki/How-To:-Test-with-Capybara


Source: (StackOverflow)

Access CanCan's `can?` method from a model

You can get the current_user's permissions from a view or controller using can? in this fashion:

  <% if can? :update, @article %>
    <%= link_to "Edit", edit_article_path(@article) %>
  <% end %>

How can I access this functionality from a model using this syntax:

user.can?(:update, @article)

Source: (StackOverflow)

How to create the first (Admin) user (CanCan and Devise)?

I made authentication in my Rails 3 app fallowed by Tony's tutorial

I don't want public registrations on my app, just to create new users with Admin account, but I can't create Admin account manually, because in table Users there is encrypted password and salt that must to be generated, and I don't know how :|


Source: (StackOverflow)

Testing views that use CanCan and Devise with RSpec

I was trying to test a simple index view, which has following code inside:

- if can? :destroy, MyModel
  %th Options

MyModelsController has following options (Inherited Resources + CanCan + Devise):

class MyModelsController < ApplicationController
  inherit_resources
  nested_belongs_to :mymodel
  before_filter :authenticate_user!
  load_and_authorize_resource :project
  load_and_authorize_resource :mymodel, :through => :project

When running specs, it crashes at the line - if can? :destroy, MyModel

Failure/Error: render
   ActionView::Template::Error:
      undefined method `authenticate' for nil:NilClass

There's no traceback, nothing to base on...

I thought that maybe I'm not authorized and signed when testing views, but Devise::TestHelpers should only be included in controller tests (and that's how I have it).

I was trying to override method can? in both Ability and the controller, but that gave no effect.


Source: (StackOverflow)

CanCan: limiting a user's ability to set certain model attributes based on their role

I have a Post model with a :published attribute (boolean) and a User model with a role attribute (string). There are three roles: ROLES = %w[admin publisher author]

I don't want users whose role is author to be capable of setting, or editing, the :published field on the Post model.

I'm using CanCan (and RailsAdmin gem) and my simplified Ability.rb file looks like this:

class Ability
  include CanCan::Ability
  def initialize(user)
    user ||= User.new

    if user.role? :admin
      can :manage, :all
    elsif user.role? :publisher
      can :manage, Post
    elsif user.role? :author
      # I want to prevent these guys from setting the :published attribute
    end

  end
end

Anyone got any tips for doing this sort of thing?


Source: (StackOverflow)

Safest and Railsiest way in CanCan to do Guest, User, Admin permissions

I'm relatively new to rails (3), and am building an application, using CanCan, where there are 3 tiers of users.

  • Guest - unregistered visitor User
  • registered and logged in visitor
  • Admin - registered and logged in visitor with admin flag

My ability is bog-stock right now, copied from cancan docs, basically defining the guest role and the admin role

class Ability

    include CanCan::Ability

    def initialize(user)
        user ||= User.new # Guest user

        if user.is_admin?
            can :manage, :all
        else
            can :read, [Asana,Image,User,Video,Sequence]
        end
    end

end

I'm looking to add in the user role. Since I'm creating that throwaway user model, I thought about using new_record? to determine if the user is logged in or not. Something like:

class Ability

    include CanCan::Ability

    def initialize(user)
        user ||= User.new # Guest user

        if !user.new_record? and user.is_admin?
            can :manage, :all
        elsif !user.new_record? and !user.is_admin?
            can {registered user-y permissions}
        else
            can :read, [Asana,Image,User,Video,Sequence]
        end
    end

end

But, it just doesn't feel right. Seems kind of disassociated from, like, actual logged-in-ed-ness, and have concerns about whether its actually secure.

Looking for advice on a more elegant way to doing this.

Thanks!


Source: (StackOverflow)

cancan skip_authorization_check for Devise authentication

Because anyone can sign up and then log in,... and because a user isn't identified for roles until after log in, doesn't it make sense to skip authorization_check for Devise?

Going on that premise, i inherit from the Devise registration controller with this registrations_controller and placed it in the controller directory.

class Users::RegistrationsController < Devise::RegistrationsController
  skip_authorization_check
end

change to the routes file:

devise_for :users, :controllers => { :registrations => "registrations" }

I'm missing something though:

This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check.

Thanks for your help.


Source: (StackOverflow)

CanCan load_and_authorize_resource triggers Forbidden Attributes

I have a standard RESTful controller that uses strong parameters.

class UsersController < ApplicationController
  respond_to :html, :js

  def index
    @users = User.all
  end

  def show
    @user = User.find(params[:id])
  end

  def new
    @user = User.new
  end

  def edit
    @user = User.find(params[:id])
  end

  def create
    @user = User.new(safe_params)

    if @user.save
      redirect_to @user, notice: t('users.controller.create.success')
    else
      render :new
    end
  end

  def update
    @user = User.find(params[:id])

    if @user.update_attributes(safe_params)
      redirect_to @user, notice: t('users.controller.update.success')
    else
      render :edit
    end
  end

  def destroy
    @user = User.find(params[:id])

    if current_user != @user
      @user.destroy
    else
      flash[:error] = t('users.controller.destroy.prevent_self_destroy')
    end
    redirect_to users_url
  end

  private

  def safe_params
    safe_attributes =
      [
        :first_name,
        :last_name,
        :email,
        :password,
        :password_confirmation,
      ]
    if current_user.is?(:admin)
      safe_attributes += [:role_ids]
    end
    params.require(:user).permit(*safe_attributes)
  end
end

In my config/initializers I have the file strong_parameters.rb

ActiveRecord::Base.send(:include,  ActiveModel::ForbiddenAttributesProtection)

When I add a simple call to CanCan's load_and_authorize_resource I get

1) UsersController POST create with invalid params re-renders the 'new' template
 Failure/Error: post :create, user: @attr
 ActiveModel::ForbiddenAttributes:
   ActiveModel::ForbiddenAttributes
 # ./spec/controllers/users_controller_spec.rb:128:in `block (4 levels) in <top (required)>'

Where @attr in the test is defined as

  before(:each) do
    @attr =
      {
        first_name: "John",
        last_name: "Doe",
        email: "user@example.com",
        password: "foobar",
        password_confirmation: "foobar"
      }
  end

In the tests I have it all setup properly to login the user and give them the necessary roles for being an administrator so I know it's not that. I don't know why this is causing ForbiddenAttributes to trigger. I'm sure it's something simple I've overlooked. Has anyone else encountered this problem and found a solution to it?


Source: (StackOverflow)

CanCan gem for MVC .NET

I am looking for NuGet package that provides similar functionality as the CanCan gem in rails ( https://github.com/ryanb/cancan ).

Does anyone know a plugin that provides a similar functionality? Or a simple way to implement this?

Thanks


Source: (StackOverflow)

How can I test CanCan in the console?

I need to check :read? on an object in the console, how can I do this?


Source: (StackOverflow)

Passing params to CanCan in RoR

I have a controller with a method like;

def show

    if params[:format].eql?("pdf")
    // do something
    elsif params[:format].eql?("csv")
    // do something
    end
end

But i have users with different roles. So i use CanCan to manage access control. Now i want X role can do the action show in controller iff params[:format].eql?("csv")

I think it can be like ;can :show, resource if params[:format].eql?("csv"). So how can i send parameters to ability.rb?

Any idea?

Thanks.


Source: (StackOverflow)

cancan: the difference between "manage" and the combination of "read, create, update and destroy"?

In trying to debug use of cancan i found that if use the following i can get past the accessdenied message:

  can :manage, Model

When i changed it to the following I am denied access:

  can :read, Model
  can :create, Model
  can :update, Model
  can :destroy, Model

What does manage include that the combination of read, create, update and destroy do not?

Thanks.


Source: (StackOverflow)

How can I redirect a user's home (root) path based on their role using Devise?

I'm working on a project management app, and in the app, I have project_managers and clients. I'm using Devise and CanCan for authentication/authorization.

At what point after login should I be redirecting the user to their own specific controller/layout/views? Is there a way to check for current_user.role in routes.rb and set the root (or redirect) based on whether or not they're a project manager or a client? Is this a change I can make in Devise somewhere?

Thanks in advance for any help! --Mark


Source: (StackOverflow)

How to access 'can?' method from within cell?

I'm using cancan and cells gems in my ruby-on-rails project. How to access can? method from within cell? Thanks.


Source: (StackOverflow)