CanCanCan version 3.4.0
Similar issue on github
I have a project with a lot of permissions, for example based on user roles: If a user is staff, he can :edit but not :update, just defined by something like can [:update], project if user.staff?.
So far, so good.
Now i want to restrict all users to read-only when project is locked. My idea was to do something like
cannot %i[update update_extra_costs], Project, locked?: true
at the end of the Ability Model.
The problem is that, in terms of docs, :update and :edit are coupled for simplicity. If I now do the cannot :update, it also restricts the :edit!
But most users should be able to see the form (read-only!) and not to be able do a :update
As a workaround I tried something like a
if can? :edit, Project #=> only if a can? is defined above
cannot [:update], Project, locked?: true
can [:edit], Project
end
The can after the cannot did the trick that edit was allowed but the update not! But this was not the soulution because it would allow all users to see the edit view! So i tried to wrap this in the if, but it didn't work, because can? doesn't work inside the Ability Model.
Questions
How to do things like this properly?
Is there a way to unlink :edit and :update so that a cannot :update would not affect the :edit
I solved it on model-level, not by cancan. Now there is a
.locked?method on the model that decides if a update is possible.