Why I choose CanCanCan
CanCanCan is celebrating its 8th birthday.
This article has been reviewed on the 02 October 2018
I realised that all the topics, articles, and comparisons of CanCanCan with other libraries are quite old nowadays.
CanCanCan is eight years old and is, at today, still actively maintained. The plans for the project are to keep it as simple as it is, and not add further functionalities and new features. For us at Renuo is important to keep the library up-to-date and compatible with the latest version of Rails and make it usable for everyone.
We consider CanCanCan an authorization library very easy to understand and very fast to install. It’s, at today, the simplest way you have to define permissions for users inside your Rails Application.
If we compare it to Pundit, for example, its setup takes way less time and, for simple projects, its easy syntax and the need of only one file ability.rb, makes the choice towards CanCanCan still our preferred.
We also use Pundit, we think is a very useful gem and also more powerful then CanCanCan sometimes, but most of the time is too flexible and too powerful for what we need.
I’d like to look around articles that talk about CanCanCan and correct some misleading information.
One big ability.rb file
Tom Kadwill has one drawback about CanCanCan in his article: the need of one big ability.rb file, that can slow down your application and make it difficult to maintain. That’s not actually true, as he states also in his second article (now unreachable if not through Google Cache).
You can, and should when needed, split your ability.rb file in multiple files and combine them depending on your needs. Please check CanCanCan documentation to see how to use different ability files and combine them.
Controller helpers are “magic”
A topic I hear often, when people complain about CanCanCan is that its Controller Helpers do too much “magic”.
You just add load_and_authorize_resource to your Controller and CanCanCan will automatically fetch the models, authorise them for each action, and raise an exception if the user is not authorised for that action.
These helpers are also difficult to use as soon as you have a more complicated controller, maybe with non RESTful actions.
My point of view is that magic doesn’t exist. Magic is the word used by people when they don’t understand how things work.
I ❤️ CanCanCan controller helpers and I use them often because they save me not only boilerplate code, but especially time, and they force me in having a correct architecture for my controllers.
If you don’t understand/like how those helpers work just don’t use them.
Those helpers are optional and you can always decide to use only load_resource or authorize_resource separately or not use them at all.
If your Controllers are not RESTful and the helpers of CanCanCan don’t really help you, maybe you also want to think about the structure of your controllers and read this article.
You can live a happy life and make use of CanCanCan by just using the definition and checking of permissions, without using any Controller Helper. That’s why CanCanCan suits also non-Rails projects.
Difficult to test permissions
Reading this article from Dmitry Polyakovsky seems like, from the introduction, that is difficult to test permissions from the rest of the code.
I don’t know if you had the same issue but I never had and the documentation seems pretty straightforward to me. Please point out where are the difficulties exactly.
Doesn’t play well with Strong Parameters
This was really true back in 2013 when Christian Nelson wrote his article, but luckily the community took care of CanCanCan and today Strong Parameters are not an issue anymore. Just read the relevant page in our wiki.
Poor CodeClimate score
I think is important also to highlight also this this point. Back in 2013 CanCanCan was defined by Christian Nelson:
[…] it has the signs of an abandoned project: sporadic commits, many open issues/pull-requests, poor Code Climate score, etc.
Again: he was perfectly fine in 2013, but that is not true in 2017 anymore and someone has to say that: CodeClimate scores now at 4.0 (the maximum) and the code frequency is pretty high for a 8 years old gem.
I’d like also to highlight that CanCanCan gem is now only 21.5KB, and has been reduced by half in the latest 2.0 release.
🎉 Happy birthday CanCanCan 🎉
