Ask A Question

Notifications

You’re not receiving notifications from this thread.

Unable to configure cancancan with active_admin in rails

pushpam kumar asked in Rails

I am trying to make a blog website. I am using active_admin and cancancan gem. Two controllers I have made are Post, Category.

posts_controller.rb

class PostsController < InheritedResources::Base
    load_and_authorize_resource

  private

    def post_params
      params.require(:post).permit(:title, :body, :user_id, :published_at)
    end
end

categories_controller.rb

class CategoriesController < InheritedResources::Base
    load_and_authorize_resource
  private

    def category_params
      params.require(:category).permit(:category)
    end
end

user.rb

class User < ApplicationRecord
    has_many :posts
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
  devise :database_authenticatable, 
         :recoverable, :rememberable, :validatable
  def admin?
    role == "admin"
  end
  def regular?
    role == "regular"
  end
  def guest?
    role == "guest"
  end
end

ability.rb

class Ability
  include CanCan::Ability

  def initialize(user)
    # Define abilities for the passed in user here. For example:
    #
    #user = User.new()
    if user.admin?
        can :manage, :all
    else 
        can :read, :all 
    end
  end
end

schema.rb

ActiveRecord::Schema.define(version: 2019_02_18_221247) do

  create_table "active_admin_comments", force: :cascade do |t|
    t.string "namespace"
    t.text "body"
    t.string "resource_type"
    t.integer "resource_id"
    t.string "author_type"
    t.integer "author_id"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.index ["author_type", "author_id"], name: "index_active_admin_comments_on_author_type_and_author_id"
    t.index ["namespace"], name: "index_active_admin_comments_on_namespace"
    t.index ["resource_type", "resource_id"], name: "index_active_admin_comments_on_resource_type_and_resource_id"
  end

  create_table "categories", force: :cascade do |t|
    t.string "category"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

  create_table "posts", force: :cascade do |t|
    t.string "title"
    t.text "body"
    t.integer "user_id"
    t.date "published_at"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.integer "category_id"
  end

  create_table "users", force: :cascade do |t|
    t.string "email", default: "", null: false
    t.string "encrypted_password", default: "", null: false
    t.string "reset_password_token"
    t.datetime "reset_password_sent_at"
    t.datetime "remember_created_at"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.string "role", default: "guest"
    t.index ["email"], name: "index_users_on_email", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
  end

end

I am trying to define authorization based on role, role column is there in users table and by default new user is the guest user.

My goal is to allow a guest user to only read Posts.

Problem: I am getting access denied for both admin and guest user though I have clearly defined what different types of user can do in ability.rb.

If you need more info about the code you can check it on github.

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 86,563+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.