Jabberwocky

snicker-snack!

Cancan, After a Closer Look

| Comments

Well, we’re into our first weeks of using cancan, and my earlier enthousiasm has been tempered somewhat. It turns out that Cancan, although being well-written, is an Opinionated plugin. It may have been intended only for very simple applications.

Let me explain. Authorization happens mostly at controller level. Cancan offers sweetened before_filter for this purpose. One being:

1
load_and_authorize_resource

which will do some standard loading action for you (nesting is possible). It is implied that the model has the same name as your controller, let’s say a CommentsController will load and authorize based on the model Comment.

It’s made flexible to a certain extent, because you can specify another model, like

load_and_authorize_resource :class => Post

Besides that, you can decide to use your own before_filter to do your own custom loading of the model. If you don’t want to load, you can use

1
authorize_resource

(without the load)

But for me we’re already in muddy waters, First off, I want authorization only, it’s unnecessary to load the instance variables for me, that’s not what I expect from this plugin. So I’ll stick with authorize_resource.

Secondly, we’re wanting to authorize a resource, not a model A resource, as in REST, should be disconnected from the model, that’s implied in the MVC pattern. The resource is what we expose to the outside world, whether as URL or in a more general API. Models are the developer’s business and nobody else’s. Linking both is awfully restrictive: usually, you’ll also have controllers that use several models, controllers that use a cache or set off background tasks etc.

This is possible with Cancan in a rather roundabout way, by using symbols when defining an authorization rule and making a before_filter.

This is why I decided to fork and add the required behaviour to the plugin. To quote what I added to the README:

If the resource is not linked to a model, you can use the authorize_resource filter with the :resource option. When the resource name is the controller name, use

1
authorize_resource :resource => :controller

(for instance CalendarsController will authorize on :calendar) When another name is required, a symbol can be used.

1
authorize_resource :resource => :coffee

This may be enough for us to be able to work with it … we’ll see.

Comments