explaingit

cancancommunity/cancancan

5,676RubyAudience · developerComplexity · 2/5Setup · easy

TLDR

CanCanCan is a Ruby on Rails library that controls what each logged-in user is allowed to see and do, with all permission rules defined in one place so they are easy to audit and impossible to accidentally skip.

Mindmap

mindmap
  root((cancancan))
    What it does
      Authorization rules
      Permission checks
      DB query filtering
    Core concept
      Ability class
      Single rules file
      Role-based access
    Rails integration
      Controller helpers
      View helpers
      Automatic loading
    Audience
      Rails developers
      Web developers
    History
      Continuation of CanCan
      Community maintained
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Define role-based rules in a single Ability class so admins see all records while regular users only see their own

USE CASE 2

Automatically verify a user's permissions and load the right database record in a Rails controller with one line

USE CASE 3

Query only the records a user is allowed to see directly from the database instead of loading everything and filtering in code

USE CASE 4

Add access control to a Rails app without scattering permission checks across controllers, views, and models

Tech stack

RubyRuby on Rails

Getting it running

Difficulty · easy Time to first run · 30min

Add one line to your Gemfile and run the CanCanCan generator to create the Ability class scaffold.

Open source community-maintained project, specific license terms are in the repository.

In plain English

CanCanCan is a Ruby library that handles authorization in web applications, which means it controls what each user is allowed to do. Authentication (proving who you are, like logging in with a password) and authorization (deciding what you are allowed to see or do once logged in) are two separate problems in web development, and CanCanCan solves the second one. It is designed to work with the Ruby on Rails web framework, though the core authorization logic works in plain Ruby too. The main idea is that all of an application's permission rules live in a single file called an Ability class, rather than being scattered across different controllers, views, and database queries. A rule might say something like: any visitor can read posts that are marked public, logged-in users can also read their own posts, and administrators can read everything. Those three lines define the rules once, and everything else in the application checks against them. Checking permissions is designed to be readable. In a web page template, you might write something like "if the current user can read this post, show the link." In a controller, a single line can automatically load the right data from the database and verify that the current user has permission to access it before any code in the action runs. This prevents situations where a developer forgets to add a permission check to one part of the app. Another feature that distinguishes CanCanCan from simpler approaches is that it can translate permission rules into database queries. Instead of loading all posts and then filtering out the ones a user shouldn't see, it can ask the database for only the posts that user is allowed to read in the first place, which is both more correct and more efficient. Installing it requires adding one line to a Rails project's dependency file. The project is community-maintained and is the continuation of an older library called CanCan that was no longer being updated.

Copy-paste prompts

Prompt 1
Using CanCanCan in Rails, define an Ability class where admins can manage everything, editors can create and update posts, and guests can only read published posts.
Prompt 2
Add CanCanCan to my Rails controller so it automatically loads the current post and checks that the logged-in user can edit it before the action runs.
Prompt 3
Show me how to use CanCanCan's accessible_by to query only the database records a user has permission to read.
Prompt 4
Write a CanCanCan ability that lets users view and edit their own orders but prevents them from seeing other users' orders.
Prompt 5
How do I test CanCanCan abilities with RSpec? Write a spec that covers the admin and guest roles.
Open on GitHub → Explain another repo

← cancancommunity on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.