Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags


What is CanCan?

Educative Answers Team

CanCan is an authorization library for Ruby on Rails that defines the authorization of specific resources for multiple users. These permissions are all set in a single locality (the Ability class) and are not duplicated across controllers, views, or database queries.


There are a few ways to install CanCan depending on your version of Rails.

  • For Rails 3, add the following to the Gem file and run the bundle command:

gem "cancan"

  • For Rails 2, add the following to the environment.rb file:

config.gem "cancan"

It can also be installed as a plugin by running the command:

rails plugin install git://

Getting started

CanCan expects a current_user method to exist in the controller.

Define Abilities

User permissions are defined in the Abilities class.

For Rails 3, use the following generator:

rails g cancan:ability

For Rails 2.3, add a new class to apps/models/ability.rb and append the following code:

class Ability
  include CanCan::Ability
  def initialize(user)

Further details on defining abilities can be found here.

Check Abilities and Authorization

Once initialized, the permissions for the current user can be checked using can? and cannot? methods in the view and controller.

<% if can? :update, @article %>
    <%= link_to “Edit”, edit_article_path(@article) %>
<% end %>

More information on Checking Abilities can be found here.

Perform the following action:

def show
  @article = Article.find(params[:id])
  authorize! :read, @article

The authorize! method will raise an exception if the user is not able to perform the above task.

To enable the above action for every action, use load_and_authorize_resource method. This will automatically enable all actions.

class ArticlesController < ApplicationController<br>
  def show
    # if we have a show on Articles controller, it automatically calls it

Handle Unauthorized Access

If the user is unauthorized, an exception is raised. To alert the user of the exception, use:

class ApplicationController < ActionController::Base
  rescue_from CanCan::AccessDenied do |exception|
    redirect_to root_url, :alert => exception.message

Further details on error handling can be found here.

Make permanent

To ensure authorization happens on every action, use the check_authorization controller. The skip_uthorization_check can be used to skip the methods where authorization is not performed on an action.

class ApplicationController < ActionController::Base

Further details can be found here.


Copyright ©2022 Educative, Inc. All rights reserved

View all Courses

Keep Exploring