prohibit :update in cancan conflicting with :edit

Question

CanCanCan version 3.4.0

Similar issue on github

I have a project with a lot of permissions, for example based on user roles: If a user is staff, he can :edit but not :update, just defined by something like can [:update], project if user.staff?.

So far, so good.

Now i want to restrict all users to read-only when project is locked. My idea was to do something like

 cannot %i[update update_extra_costs], Project, locked?: true

at the end of the Ability Model.

The problem is that, in terms of docs, :update and :edit are coupled for simplicity. If I now do the cannot :update, it also restricts the :edit!

But most users should be able to see the form (read-only!) and not to be able do a :update

As a workaround I tried something like a

if can? :edit, Project #=> only if a can? is defined above
  cannot [:update], Project, locked?: true
  can [:edit], Project
end

The can after the cannot did the trick that edit was allowed but the update not! But this was not the soulution because it would allow all users to see the edit view! So i tried to wrap this in the if, but it didn't work, because can? doesn't work inside the Ability Model.

Questions

How to do things like this properly?

Is there a way to unlink :edit and :update so that a cannot :update would not affect the :edit

Answer 1

I solved it on model-level, not by cancan. Now there is a .locked? method on the model that decides if a update is possible.