CanCan is an authorization library for Ruby on Rails that helps manage user permissions in a clean and consistent way. It centralizes all authorization logic in a single Ability class, where you define what actions each type of user can or cannot perform on different resources. Developers then use helpers like authorize! in controllers or can? in views to enforce those rules without scattering permission logic across the application. It supports defining permissions using conditions, allowing granular access based on attributes like ownership or role. Because it abstracts authorization cleanly, applications stay easier to read, test, and maintain as business rules evolve. Though no longer actively maintained in its original form, CanCan inspired forks and successors (such as CanCanCan) that continue to be widely used in Rails projects.
Features
- Define user permissions in a single Ability class rather than scattering logic across controllers and views
- Helper methods in controllers and views like can?, cannot?, authorize! to test or enforce permissions
- load_and_authorize_resource support: automatically loading resources and checking abilities for RESTful controllers
- Ability to rescue from unauthorized access exceptions and handle accordingly (redirect, flash message, etc.)
- Checks for authorization in all actions, with a mechanism to skip authorization where needed, or ensure it's always checked with check_authorization
- Integration with Rails conventions (current_user, filters, controller/view helpers) so minimal boilerplate required in Rails apps using it
Project Samples
