Rails 3.2 - Access denied exception for custom action in CanCan - but only in production

Question

I'm using Ruby (1.9) on Rails (3.2.13), with devise and cancan for authentication and authorization. I've a custom action in a controller that works with anonymous users properly in development environment. When I deployed it in Heroku, the same page threw a 'not authorized' error. I set RAILS_ENV=production locally and I got the same error. But when I set RAILS_ENV back to development, it starts working fine.

I don't see any configuration that is environment specific for CanCan. From the docs and examples, it doesn't look like I need anything more to make this work. Can someone please help? Here's the code:

config/routes.rb

...
resources :venues do
    ...
    ...
    collection do
      get 'testaction'
    end
...

models/ability.rb

class Ability
  include CanCan::Ability
  def initialize(user)
    user ||= User.new # guest user
    if user.role? :admin
        can :manage, :all
    else
        can :testaction, Venue
    end
  end
end

controllers/venues_controller.rb

class VenuesController < ApplicationController
    before_filter :authenticate_user!, :except => [:testaction] #tried with & w/o this line
    load_and_authorize_resource

    def testaction
        respond_to do |format|
            format.html
        end 
    end
    ...
    ...
end

I also tried adding a custom action under members instead of collections in routes, but the behaviour is the same.

Thanks!

Answer 1

I am also getting similar error with Users, then I found a good working repository for understanding the flow of cancan with devise for authorizing and authenticating roles.

Please follow the instructions which is given by the repository and match your code steps by steps.

https://github.com/RailsApps/rails3-bootstrap-devise-cancan

I suggest to use authorize_resource :class => false or enter code here instead of load_and_authorize_resource in your controller. I think it will help you.

Thanks.