What is CanCan?

CanCan is an authorization library for Ruby on Rails that defines the authorization of specific resources for multiple users. These permissions are all set in a single locality (the Ability class) and are not duplicated across controllers, views, or database queries.

Installation

There are a few ways to install CanCan depending on your version of Rails.

  • For Rails 3, add the following to the Gem file and run the bundle command:

gem "cancan"

  • For Rails 2, add the following to the environment.rb file:

config.gem "cancan"

It can also be installed as a plugin by running the command:

rails plugin install git://github.com/ryanb/cancan.git

Getting started

CanCan expects a current_user method to exist in the controller.

Define Abilities

User permissions are defined in the Abilities class.

For Rails 3, use the following generator:

rails g cancan:ability

For Rails 2.3, add a new class to apps/models/ability.rb and append the following code:

class Ability
  include CanCan::Ability
  
  def initialize(user)
  end
end

Further details on defining abilities can be found here.

Check Abilities and Authorization

Once initialized, the permissions for the current user can be checked using can? and cannot? methods in the view and controller.

<% if can? :update, @article %>
    <%= link_to “Edit”, edit_article_path(@article) %>
<% end %>

More information on Checking Abilities can be found here.

Perform the following action:

def show
  @article = Article.find(params[:id])
  authorize! :read, @article
end

The authorize! method will raise an exception if the user is not able to perform the above task.

To enable the above action for every action, use load_and_authorize_resource method. This will automatically enable all actions.

class ArticlesController < ApplicationController<br>
  load_and_authorize_resource
  def show
    # if we have a show on Articles controller, it automatically calls it
  end
end

Handle Unauthorized Access

If the user is unauthorized, an exception is raised. To alert the user of the exception, use:

class ApplicationController < ActionController::Base
  rescue_from CanCan::AccessDenied do |exception|
    redirect_to root_url, :alert => exception.message
  end
end

Further details on error handling can be found here.

Make permanent

To ensure authorization happens on every action, use the check_authorization controller. The skip_uthorization_check can be used to skip the methods where authorization is not performed on an action.

class ApplicationController < ActionController::Base
  check_authorization
end

Further details can be found here.

Free Resources

Copyright ©2026 Educative, Inc. All rights reserved