Rails cancan ability.rb

Question

and start to learn cancan+devise

i have 'users' table ( devise )

i have 'posts' table ( with 'user_id' field )

i have 'roles' table ( with 'name' field )

• 1 - admin
• 2 - user

i have users_roles ( with 'user_id' and 'role_id' )

i create 2 users with 'user' role

and create 1 user with 'admin' role

user.rb
  has_many :posts
  has_many :users_roles
  has_many :roles, :through => :users_roles

role.rb
  has_many :users_roles
  has_many :users, :through => :users_roles

users_role.rb
  belongs_to :user
  belongs_to :role

and there is a question:

i create ability.rb 

with

  def initialize(user)
    user ||= User.new
    if user.persisted?
        #loged in
        can :read, Post
        can :create, Post
        can :update, Post , :user_id => user.id
        can :destroy, Post , :user_id => user.id
    else
        #not logged
        can :read, Post
    end

in my views/posts/index.html.erb

<% @posts.each do |post| %>
  <tr>
    <td><%= post.user.email %></td>
    <td><%= post.title %></td>
    <td><%= post.text %></td>
    <td><%= link_to 'Show', post %></td>
      <% if can? :update, Post %>
        <% if current_user.id == post.user.id %>
          <td><%= link_to 'Edit', edit_post_path(post) %></td>
        <% end %>  
      <% end %>
      <% if can? :destroy, Post %>
        <% if current_user.id == post.user.id %>
          <td><%= link_to 'Destroy', post, method: :delete, data: { confirm: 'Are you sure?' } %></td>
        <% end %>
    <% end %>  
  </tr>

<% end %>
</table>

<br />
<!-- ???почему Post ? -->
<% if can? :create, Post %>
  <%= link_to 'New Post', new_post_path %>
<% end %>  

and in this case i check, if user login - he can read and create,update,destroy ( if he is autor ), if user not logged(guest) - can only read

but i don't know how change my ability.rb to do that:

• i have guest ( only read )
• i have user ( can read and create,update,destroy ( if he is autor ) )
• i have one admin ( can read, create, update, destroy )

note i already have role table ( with 2 roles ), and 3 users ( 1 with admin role, 2 with user role )

Answer 1

This is how I implemented cancan in my application to manage roles and a guest user.

Simply use a if user.role == role to verify that the user has the right role.

class Ability
include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user
    if user.role == "author"
      # 
      can :read, Post
      can :create, Post
      can :update, Post , :user_id => user.id
      can :destroy, Post , :user_id => user.id

      # a simple way to realize read create update and destroy is :manage
      # can :manage, Post, :user_id => user.id

    else
      if user.role == "admin"
        # User with role admin can manage all on all models 
        can :manage, :all
      else
        # Guest user can only read something
        can :read, Post
        # or
        # can :read, [SomeModel1, Somemodel2]
        # can :read, :all     # this means he can read all models 
end