CanCan not fully supported in Rails 4

Question

It seems that Ryan Bates stopped developing CanCan. Rails 4 is nos fully supported. And, ready4rails4 says that it isn't work.

Should I replace CanCan for another authorization library?

Regards

Answer 1

I do not longer use CanCan in new projects exactly because of the reasons you mentioned, too many open issues and unresolved pull requests.

You may want to have a look at Ryan's "Authorization From Scratch" RailsCasts.

You may also find useful the following snippets of code:

lib/errors/

module Errors
  class NotAuthorizedError < StandardError; end
end

app/controllers/application_controller.rb

class ApplicationController < ActionController::Base

  def authorize(record)
    raise Errors::NotAuthorizedError unless policy(record).public_send(params[:action] + "?")
  end

  def policy(record)
    "#{record.class}Policy".constantize.new(current_user, record)
  end
end

app/policies/user_policy.rb

class UserPolicy

  attr_reader :user, :current_user

  def initialize(current_user, user)
    @current_user = current_user
    @user = user
  end

  def update?
    user == current_user
  end
end

app/controllers/

class UsersController

  def update
    @user = User.find(params[:id])
    authorize(@user)
    # etc
  end
end

This solution, which I currently use in all my new apps is based on the following excellent article: http://www.elabs.se/blog/52-simple-authorization-in-ruby-on-rails-apps. It is so simple to implement and test that you can easily adapt it to your application needs.

Good luck replacing CanCan.