CanCan doesn't work on this model

Rails
1

ability.rb

can :update, User, :auth_token => current_user.auth_token

users_controller.rb

@user = User.find(params[:id])
authorize! :update, @user

If go to the URL directy, it does work well. Authorizes where it’s
supposed to, and it doesn’t authorize where it’s supposed to.

The problem is, in users/index.html.erb I’m listing the users and it
doesn’t display the Edit link at all.

index.html.erb

@users = User.all
[…]
<% if can? :update, @user %>
<%= link_to ‘Edit’, edit_user_path(user) %>
<% end %>

I’m thinking I’m probably having this problem because I’m working with
nested resources.

routes.rb

resources :companies do
resources :users
end

But I have also tried working with :through and it still doesn’t display
the Edit link. Can somebody please tell me why?

2

I kept on simplifying the code to get to the root of the problem and it
seems it won’t work regardless of what I do.

in ability.rb
can :manage, :all

so it’s supposed to allow the user to do ANYTHING right? wrong!

if in users_controller.rb I tried working with nested resources, it
ALWAYS gives me Access Denied error.

users_controller.rb
load_resource :company
load_resource :user, :through => :company

3

On Aug 9, 2011, at 12:39 PM, Leonel . wrote:

ALWAYS gives me Access Denied error.

users_controller.rb
load_resource :company
load_resource :user, :through => :company

Try changing this to simply:

#users_controller.rb
load_and_authorize_resource

I believe that will get all of the nested stuff automagically, you
don’t have to specify the relationship. After all, that’s what your
models are for.

Walter

4

Ok, I read the CanCan documentation more carefully and this jumped out
the screen…
“This will fetch the project using Project.find(params[:project_id]) on
every controller action, save it in the @project instance variable…”

When I was going to /users the companies resource was empty and it would
throw the Access Denied error unless I used shallow nesting (:shallow =>
true).

So I should’ve been going to /companies/45/users instead. Then companies
get loaded as well as users. My problem with this is that it can only
display users from a certain company.

I’m still not accomplishing what I want. Because the page should display
all companies and all users under each company. I’m closer to finding
the answer than I was before. I’ll keep on trying.

5

Ok. This is the question I’m looking the answer for: how can I load and
authorize the companies in the users_controller.rb file?

I already tried load_and_authorize_resource :company

@companies and @company are empty in the view.