Define Permissions on Specific Resource Attributes

[adeelejaz]

This is more of a feature request, copied from original project's 2.0 branch:

In CanCan 2.0 it is possible to define permissions on specific resource attributes. For example, if you want to allow a user to only update the name and priority of a project, pass that as the third argument to can.

can :update, :projects, [:name, :priority]

If you use this in combination with load_and_authorize_resource it will ensure that only those two attributes exist in params[:project] when updating the project. If you do this everywhere it will not be necessary to use attr_accessible in your models.

You can combine this with a hash of conditions. For example, here the user can update all attributes except the price when the product is discontinued.

can :update, :products
cannot :update, :products, :price, :discontinued => true

You can check permissions on specific attributes to determine what to show in the form.

<%= f.text_field :name if can? :update, @project, :name %>

Considering Ryan's comment on the ticket here, it might be worth looking at that implementation and just export it the current project?

[mohjay]

+1

[pinkynrg]

+1

[troyanryller]

+1

[phaedryx]

This would be incredibly useful.

[phaedryx]

I've been looking at the code for CanCanCan vs. CanCan 2.0 for this feature and I think it is doable. I'd be willing to work it into a pull request.

If I got this working, how soon would I be able to get it merged into a release?

[phaedryx]

@coorasse I have some ideas about how to approach this, but I would love to talk it over with you. What is the best way to contact you?

[coorasse]

Hello @phaedryx , I would be happy to introduce such a feature in cancancan 3.0 since is something that the community would like to see and also Ryan thought about it already seven years ago.

[phaedryx]

I've got the pull request done: #474

Kick the tires and tell me what you think.

[coorasse]

This is addressed in the branch feature/3.0.0. 3.0.0 is not released yet but that branch can be used in the meantime. I close the issue. Thanks everyone for your help!

[pjmartorell]

@coorasse Hi! is there any documentation of this feature? I was not able to find it. Just I found some specs:

cancancan/spec/cancan/ability_spec.rb

Line 566 in f9372fc

it 'allows an array of attributes in rules' do

I tried it and I was expecting that load_and_authorize_resource would authorize the resource at attribute-level, but it doesn't work, it just works when I use authorize!. Any hint?

[showthreadx]

@coorasse Hi! is there any documentation of this feature? I was not able to find it. Just I found some specs:

cancancan/spec/cancan/ability_spec.rb

Line 566 in f9372fc

it 'allows an array of attributes in rules' do

I tried it and I was expecting that load_and_authorize_resource would authorize the resource at attribute-level, but it doesn't work, it just works when I use authorize!. Any hint?

Hey, I faced the same problem as you, will be glad for any help, how did you solve this?

[stahor]

@pjmartorell @showthreadx I don't see any changes to load_and_authorized_resource in the #474. It would be quite a bad idea actually. But this PR introduces permitted_attributes method which can be used as it's described here #474 (comment)