How to ensure authorization in CanCan

CanCan is an authorization library for Ruby on Rails that defines the authorization of specific resources for multiple users.

If there is an instance where you want to ensure that a certain authorization is not forgotten, you can append the add check_authorization to the ApplicationController.

class ApplicationController < ActionController::Base
  check_authorization
end

This will ensure that authorization takes place in every inherited controller action. If not, the following exception will be raised.

CanCan::AuthorizationNotPerformed

We can modify the permissions so that it is skipped on new objects using skip_authorization_check. This authorization can be skipped using :only, which only skips the properties stated, and :except, which skips all the properties except the ones stated. The following code skips the authorization check for newly created objects:

class ApplicationController < ActionController::Base
  skip_authorization_check :only =>[:new] 
end

Conditional Check

CanCan1.6 allows you to conditionally check authorizations when given a method. This is done by using the keyword :if and :unless. Here is an example that allows access to a user who is tagged as admin:

class ApplicationController < ActionController::Base
  check_authorization :if => :admin?
  private
  def admin?
    request.subdomain == "admin"
  end
end

Note:check_authorization only ensures that the authorization is performed.