Authorizing Namespaced and Nested Controllers Using Cancan

Authorizing Namespaced and Nested controllers using CanCan

Found out the answer: It was the namespace after all, it just needed a

can :access, "api/v1/likes"

CanCan: load_and_authorize_resource in namespace other than that of MainApp

It seems to be a bug in CanCan::ControllerResource#namespace:

def namespace
  @params[:controller].split("::")[0..-2]
end

As you see, it tries to split controller path by :: but it comes in the form of my_engine/my_controller.

So the fix is dumb simple:

def namespace
  @params[:controller].split("/")[0..-2]
end

Wonder how they could miss such a stupid bug for so long. Shall send them a pull request.

P.S. Have just signed up to answer 8)

Devise, cancan, and namespace routes

With plain cancan I think the only option would be to override all behavior:

can do |action, subject_class, subject|
  # custom logic to allow or deny permission
end

They show an example of this here: https://github.com/ryanb/cancan/wiki/Abilities-in-Database

The other option would be use the cancan_namespace gem: https://github.com/galetahub/cancan_namespace

Cancancan: set authorization for all controllers

Yes you can. See this link

class ApplicationController < ActionController::Base
  check_authorization
end

How to manage permissions with CanCan on namespaced web app?

Problem solved with this solution:
https://github.com/ryanb/cancan/wiki/Authorization-for-Namespaced-Controllers

---

Related Topics