Hello, CanCanCan 3.0

All the changes in version 3.0 of the most used and ❤️ authorization framework in Ruby On Rails

Breaking changes

Defining abilities without a subject is not allowed anymore

Eager loading is not automatic anymore

Use of distinct.

Ability#merge.

New features

Support for Rails 6.0

Attribute level rules

can :read, User, :first_name, :last_name
can? :read, @user, :first_name
current_ability.permitted_attributes(:read, @user)
#=> [:first_name, :last_name]

Better support for enums

# version 2.x
can :read, Shape, color: Shape.colors[:green]
# version 3.x
can :read, Shape, color: :green

The Rules Compressor

can :read, Post, public: trueif user.present?
can :read, Post, user: { id: user.id }
if user.admin?
can :read, Post
end
end
# not logged in
SELECT *
FROM posts
WHERE posts.public = true
# logged in
SELECT *
FROM posts
LEFT JOIN users on posts.user_id = users.id
WHERE posts.public = true OR users.id = ?
# admin
SELECT *
FROM posts
LEFT JOIN users on posts.user_id = users.id
WHERE posts.public = true OR users.id = ? OR 1 = 1
# admin
SELECT *
FROM posts;

Tests run on SQLite and Postgres

and much more…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alessandro Rodi

Open Source Software Engineer at Renuo AG. Located in Zürich. I do stuff. Sometimes.