(:can) + (:cannot with parameter) on same model results in wrong SQL query

[vectriss]

Hi,

I've got this code in Rails 3.2.11 project with CanCan 1.6.8:

Ability model:

if user.is_super_admin?
    can :manage, User
    cannot :manage, User, :rank => "root"
end

in UserController:

load_and_authorize_resource

def index
    # empty
end

and when I run WEBrick, log in as super_admin and go to user/index action cancan runs this SQL (from development.log):

SELECT users.* FROM users WHERE users.rank = 'root';

resulting in selecting only the 'root' user from the DB where I want the opposite effect.

CanCan should run something like this:

SELECT users.* FROM users WHERE users.rank != 'root';

i noticed that when i put this code in Ability instead of code mentioned earlier it all works fine:

if user.is_super_admin?
    can :manage, User, :rank => 'user'
    can :manage, User, :rank => 'admin'
    can :manage, User, :rank => 'super_admin'
end

am I missing something or is it a bug?

[alex-handley]

@vectriss did you resolve the issue? if not i'd be happy to help.

[xhoy]

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!