CODEWITHSUNDEEP
ruby-on-railscancan
Jon Lehman
Jon Lehman

Reputation: 19

CanCan is not authorizing a controller action when it will work just fine with accessible_by

I've been struggling with CanCan for the past few days and need some help. My users are supposed to be able to access Contacts they or their team-members create. I set up an ability for that, and it works for collecting data (CanCan limits the index to only contacts that should be viewable via 'accessable_by'), but when you click on a contact, CanCan throws a 'not authorized' error.

I have looked at the Contacts table itself and can verify that the current_user has the same team_id as the contact I clicked on, so it seems like it should work, but it does not.

Thanks for any help you can provide.

Here is the ability.rb file:

    class Ability
    include CanCan::Ability

    def initialize(user)
        # Define abilities for the passed in user here. For example:
        #

        user ||= User.new # guest user (not logged in)

        case user.role
            when "admin"        then 
              can :manage, :all
            when "team_admin"   then
              can :manage, Team,        :team => { :id => user.team_id }
              can :manage, Upload,      :team => { :id => user.team_id }
              can :manage, Property,    :team => { :id => user.team_id }
              can :manage, Contact,     :team => { :id => user.team_id }
              can :manage, Appointment, :team => { :id => user.team_id }
            when "user"         then                   
              can :manage, Team,        :team => { :id => user.team_id }
              can :manage, Upload,      :team => { :id => user.team_id }
              can :manage, Property,    :team => { :id => user.team_id }
              can :manage, Contact#,    :team => { :id => user.team_id }
              can :manage, Appointment, :team => { :id => user.team_id }
              can :read, User,          :user => { :id => user.id}

              can :create, Team     
              can :create, Upload       
              can :create, Property     
             # can :create, Contact 
              can :create, Appointment

              can :index, Property  
             # can :index, Contact  
        end

            # if user.role == "admin"
            #   can :manage, :all
            # else
            #   can :read, :all
            # end

        #
        # The first argument to `can` is the action you are giving the user permission to do.
        # If you pass :manage it will apply to every action. Other common actions here are
        # :read, :create, :update and :destroy.
        #
        # The second argument is the resource the user can perform the action on. If you pass
        # :all it will apply to every resource. Otherwise pass a Ruby class of the resource.
        #
        # The third argument is an optional hash of conditions to further filter the objects.
        # For example, here the user can only update published articles.
        #
        #   can :update, Article, :published => true
        #
        # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
    end
end

Here is the Show action in my Contacts controller:

  def show
    @contact = Contact.find(params[:id])
    authorize! :show, @contact

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @contact }
    end


  end

Here is the User model:

class User < ActiveRecord::Base

  has_secure_password
  attr_accessible :email, :password, :password_confirmation, :first_name, :last_name, :team_id, :role

  belongs_to :team
  has_many :appointments
  has_many :contacts
  has_many :properties

  ROLES = %w[admin group_admin user disabled]

  validates_uniqueness_of :email

  before_create { generate_token(:auth_token) }

  def send_password_reset
    generate_token(:password_reset_token)
    self.password_reset_sent_at = Time.zone.now
    save!
    UserMailer.password_reset(self).deliver
  end

  def generate_token(column)
    begin
      self[column] = SecureRandom.urlsafe_base64
    end while User.exists?(column => self[column])
  end

end

Here is the Contact model:

class Contact < ActiveRecord::Base
  attr_accessible :address_1, :address_2, :city, :first_name, :last_name, :state, :zip, :team_id
  has_and_belongs_to_many :properties
  belongs_to :user
  belongs_to :team
  has_many :appointments
end

and finally, here is the Team model:

class Team < ActiveRecord::Base
  attr_accessible :team_name

  has_many :users
  has_many :appointments
  has_many :contacts
  has_many :properties
end

Upvotes: 0

Views: 1209

Answers (1)

Thanh
Thanh

Reputation: 8604

Try using this:

when "user"         then  
  ...
  can :manage, Contact, user_id: user.id, team_id: user.team.id
  ...
  can :create, Contact
  ...

Upvotes: 1

Related Questions