• This repository has been archived on 12/Dec/2021
  • Stars
    star
    6,265
  • Rank 6,383 (Top 0.2 %)
  • Language
    Ruby
  • License
    MIT License
  • Created about 15 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Authorization Gem for Ruby on Rails.

Unmaintained

The CanCan gem is no longer maintained. Please use another authorization library such as CanCanCan or Pundit.

CanCan

<img src=“https://fury-badge.herokuapp.com/rb/cancan.png” alt=“Gem Version” /> <img src=“https://secure.travis-ci.org/ryanb/cancan.png?branch=master” /> <img src=“https://codeclimate.com/github/ryanb/cancan.png” />

Wiki | RDocs | Screencast

CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the Ability class) and not duplicated across controllers, views, and database queries.

Installation

In Rails 3, add this to your Gemfile and run the bundle command.

gem "cancan"

In Rails 2, add this to your environment.rb file.

config.gem "cancan"

Alternatively, you can install it as a plugin.

rails plugin install git://github.com/ryanb/cancan.git

Getting Started

CanCan expects a current_user method to exist in the controller. First, set up some authentication (such as Authlogic or Devise). See Changing Defaults if you need different behavior.

1. Define Abilities

User permissions are defined in an Ability class. CanCan 1.5 includes a Rails 3 generator for creating this class.

rails g cancan:ability

In Rails 2.3, just add a new class in ‘app/models/ability.rb` with the following contents:

class Ability
  include CanCan::Ability

  def initialize(user)
  end
end

See Defining Abilities for details.

2. Check Abilities & Authorization

The current user’s permissions can then be checked using the can? and cannot? methods in the view and controller.

<% if can? :update, @article %>
  <%= link_to "Edit", edit_article_path(@article) %>
<% end %>

See Checking Abilities for more information

The authorize! method in the controller will raise an exception if the user is not able to perform the given action.

def show
  @article = Article.find(params[:id])
  authorize! :read, @article
end

Setting this for every action can be tedious, therefore the load_and_authorize_resource method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before filter to load the resource into an instance variable and authorize it for every action.

class ArticlesController < ApplicationController
  load_and_authorize_resource

  def show
    # @article is already loaded and authorized
  end
end

See Authorizing Controller Actions for more information.

3. Handle Unauthorized Access

If the user authorization fails, a CanCan::AccessDenied exception will be raised. You can catch this and modify its behavior in the ApplicationController.

class ApplicationController < ActionController::Base
  rescue_from CanCan::AccessDenied do |exception|
    redirect_to root_url, :alert => exception.message
  end
end

See Exception Handling for more information.

4. Lock It Down

If you want to ensure authorization happens on every action in your application, add check_authorization to your ApplicationController.

class ApplicationController < ActionController::Base
  check_authorization
end

This will raise an exception if authorization is not performed in an action. If you want to skip this add skip_authorization_check to a controller subclass. See Ensure Authorization for more information.

Wiki Docs

Questions or Problems?

If you have any issues with CanCan which you cannot find the solution to in the documentation, please add an issue on GitHub or fork the project and send a pull request.

To get the specs running you should call bundle and then rake. See the spec/README for more information.

Special Thanks

CanCan was inspired by declarative_authorization and aegis. Also many thanks to the CanCan contributors. See the CHANGELOG for the full list.

More Repositories

1

ruby-warrior

Game written in Ruby for learning Ruby.
Ruby
3,830
star
2

letter_opener

Preview mail in the browser instead of sending.
Ruby
3,686
star
3

dotfiles

config files for zsh, bash, completions, gem, git, irb, rails
Shell
2,312
star
4

nifty-generators

A collection of useful Rails generator scripts.
Ruby
1,984
star
5

nested_form

Rails plugin to conveniently handle multiple models in a single form.
Ruby
1,792
star
6

private_pub

Handle pub/sub messaging through private channels in Rails using Faye.
Ruby
864
star
7

railscasts-episodes

NOT MAINTAINED. See README.
Ruby
846
star
8

railscasts

railscasts.com in open source (outdated).
Ruby
760
star
9

populator

Mass populate an Active Record database.
Ruby
393
star
10

complex-form-examples

Various ways to handle multi-model forms in Rails.
Ruby
304
star
11

trusted-params

Rails plugin for overriding attr_accessible protection.
Ruby
149
star
12

mustard

Simple "must" expectations for tests and specs in Ruby.
Ruby
144
star
13

govsgo

Rails 3 app for playing the board game Go online.
Ruby
140
star
14

xapit

High level Ruby library for interacting with Xapian, a full text search engine.
Ruby
139
star
15

rails-templates

Template scripts for creating new rails applications.
Ruby
134
star
16

cocoa-web-app-example

A Cocoa application to demonstrate the interaction between Objective-C and JavaScript in a WebView.
Objective-C
96
star
17

importex

Import an Excel file using Ruby.
Ruby
90
star
18

uniquify

Generate a unique, random token for Active Record.
Ruby
87
star
19

textmate-themes

My TextMate themes (includes Railscasts theme)
69
star
20

acts-as-list

NOT MAINTAINED. Gem version of acts_as_list Rails plugin.
Ruby
65
star
21

abingo

Fork of A/Bingo plugin for Rails.
Ruby
55
star
22

railscasts-scripts

Scripts used internally when producing RailsCasts
Ruby
52
star
23

scope-builder

Build up named scopes conditionally.
Ruby
51
star
24

rmov

Ruby wrapper for the QuickTime C API.
C
48
star
25

render-caching

Cache render calls in Rails controllers.
Ruby
45
star
26

enlighten

Interactive ruby debugger in the browser.
Ruby
41
star
27

static_actions

Rails plugin to quickly make named routes for non-RESTful actions.
Ruby
39
star
28

searchify

Rails plugin to add extra searching functionality to models.
Ruby
37
star
29

selenium-on-rails

This repo is no longer maintained, see the official repository by paytonrules.
JavaScript
34
star
30

ryan-on-rails.tmbundle

Some TextMate snippets I use when working with Ruby and Rails.
26
star
31

dailystamp

Source code for my Rails Rumble 2009 submission
Ruby
23
star
32

url_formatter

Format and validate a URL in Active Record. Example gem for RailsCasts.
Ruby
18
star
33

association-freezer

Freeze a belongs_to association in Active Record.
Ruby
17
star
34

admiteer

Rails Rumble 2007 project by Jack Canty, Kelli Shaver, and Ryan Bates
17
star
35

todo-list.tmbundle

A simple TextMate bundle to manage a todo lists.
14
star
36

myideadrawer

Rails Rumble 2008 entry by Ryan Bates and Kelli Shaver
Ruby
13
star
37

advent-2022

Advent of Code in Elixir
Elixir
12
star
38

blog-screencast

Example blog application built in the offical 15 minute Rails screencast.
Ruby
12
star
39

xapit-sync

Rails plugin to automatically reload a Xapian database when models change.
Ruby
12
star
40

ryan-bates.tmbundle

Miscellaneous commands and snippets I use in TextMate.
11
star
41

maestro

Piano exercise game written in MacRuby.
Ruby
11
star
42

vscode-railscasts-theme

RailsCasts Theme for VS Code
7
star
43

ryanb.github.io

Personal site for Ryan Bates
5
star
44

vscode-erb-syntax

ERB Syntax for VS Code
5
star
45

xapit-server

Rack server for interacting with a Xapian database remotely through Xapit.
Ruby
4
star
46

swapper

Ruby script for swapping two elements on a line (to be used in text editors).
3
star
47

bookmarklets

JavaScript
1
star
48

wallaby-rails-7-1-2

Example Rails 7.1.2 app with Wallaby
Ruby
1
star