CanCan, Devise, Rails and Backbone.js, issue with :update

0
votes

I'm using Devise and CanCan to create a backbone.js front-end and Rails 3.0.7 for backend.

As soon as I add load_and_authorize_resource to my controller it no longer lets me perform an update and I get no response from the server. If I remove load_and_authorize_resource from my controller, everything works well.

Information from my console:

Started PUT "/pos/13" for 127.0.0.1 at Thu Jul 07 15:06:41 -0700 2011

Processing by PosController#update as JSON

Parameters: {"confirmed"=>nil, "paid"=>nil, "needed"=>Thu, 30 Jun 2011, "amount"=>16, "id"=>"13", "approved"=>1, "user_id"=>1, "vendor_id"=>5}

User Load (0.1ms) SELECT "users".* FROM "users" WHERE "users"."id" = 1 LIMIT 1

Po Load (0.1ms) SELECT "pos".* FROM "pos" WHERE "pos"."id" = 13 LIMIT 1

Role Load (0.1ms) SELECT "roles".* FROM "roles" INNER JOIN "roles_users" ON "roles".id = "roles_users".role_id WHERE "roles"."name" = 'Admin' AND ("roles_users".user_id = NULL ) LIMIT 1

The end of the last query: "roles_users".user_id = NULL is never going to return any results and will then not let me update the resource. What could I do to fix this?

Other information:

PosController#update looks like this:

def update
  @po = Po.find(params[:id])
  @po.update_attributes! params
  respond_with @po
end

I'm using roles to manage abilities. My ability.rb looks like:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.role? :admin
      can :manage, :all
    end
  end
end

User.rb contains:

def role?(role)
  return !!self.roles.find_by_name(role.to_s.camelize)
end

Roles are obtained from the UsersHaveAndBelongToManyRoles migration:

class UsersHaveAndBelongToManyRoles < ActiveRecord::Migration
  def self.up
    create_table :roles_users, :id => false do |t|
     t.references :role, :user
    end
  end

  def self.down
    drop_table :roles_users
  end
end

I currently only have one user, and have given this user the role admin. I've been able to double check this by using a conditional to not pass any @pos in PosController#index unless current_user.role? :admin.

1
ruby-on-railsruby-on-rails-3devisebackbone.jscancan
By "I get no response from the server", is it just processing the page and never responds? Or do you mean it returns instantly with no content? If so, what's the status of the page? Is it a redirect? If so, to where? - ryanb
@ryanb It does a PUT to PosController#update as JSON and I get a 200 response with no content. The database is never updated either. Since this is all JSON it doesn't redirect. - joshvermaire

1 Answers

3
votes

This may be a problem with Devise losing authentication on AJAX requests, check out this issue for details.

It looks like current_user that is passed to Ability is nil. Try removing load_and_authorize_resource and ensure that current_user is set correctly in the action.

If that is not the problem, first make sure user.role? :admin is returning true for that user. Next, try Ability.new(user).can?(:update, Po.find(...)), see Debugging Abilities for details.

What I don't understand is why it returns an empty JSON response. CanCan never handles a response directly, it just raises an exception when authorization fails. Are you catching this with rescue_from in your ApplicationController? If so, try removing that to ensure Authorization is actually failing and nothing else is handling the JSON response.