Need help with cancancan?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

5.0K Stars 535 Forks MIT License 1.3K Commits 48 Opened issues


The authorization Gem for Ruby on Rails.

Services available


Need anything else?

Contributors list


Gem Version Github Actions badge Code Climate Badge

Developer guide | RDocs | Screencast 1 | Screencast 2

CanCanCan is an authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.

All permissions can be defined in one or multiple ability files and not duplicated across controllers, views, and database queries, keeping your permissions logic in one place for easy maintenance and testing.

It consists of two main parts: 1. Authorizations library that allows you to define the rules to access different objects, and provides helpers to check for those permissions.

  1. Rails helpers to simplify the code in Rails Controllers by performing the loading and checking of permissions of models automatically and reduce duplicated code.

Our sponsors

Renuo AG

Modern Treasury

Bullet Train




Do you want to sponsor CanCanCan and show your logo here? Check our Sponsors Page.

Head to our complete Developer Guide to learn how to use CanCanCan in details.


Add this to your Gemfile:

gem 'cancancan'

and run the

bundle install

Define Abilities

User permissions are defined in an

rails g cancan:ability

Here follows an example of rules defined to read a Post model. ```ruby class Ability include CanCan::Ability

def initialize(user) can :read, Post, public: true

return unless user.present?  # additional permissions for logged in users (they can read their own posts)
can :read, Post, user: user

return unless user.admin? # additional permissions for administrators can :read, Post

end end ```

Check Abilities

The current user's permissions can then be checked using the

methods in views and controllers.

Fetching records

One of the key features of CanCanCan, compared to other authorization libraries, is the possibility to retrieve all the objects that the user is authorized to access. The following:

  @posts = Post.accessible_by(current_ability)

will use your rules to ensure that the user retrieves only a list of posts that can be read.

Controller helpers


method in the controller will raise an exception if the user is not able to perform the given action.
def show
  @post = Post.find(params[:id])
  authorize! :read, @post

Setting this for every action can be tedious, therefore the

method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before action to load the resource into an instance variable and authorize it for every action.
class PostsController < ApplicationController

def show # @post is already loaded and authorized end

def index # @posts is already loaded with all posts the user is authorized to read end end


Head to our complete Developer Guide to learn how to use CanCanCan in details.


If you have any question or doubt regarding CanCanCan which you cannot find the solution to in the documentation, please open a question on Stackoverflow with tag cancancan


If you find a bug please add an issue on GitHub or fork the project and send a pull request.


CanCanCan uses appraisals to test the code base against multiple versions of Rails, as well as the different model adapters.

When first developing, you need to run

bundle install
and then
bundle exec appraisal install
, to install the different sets.

You can then run all appraisal files (like CI does), with

appraisal rake
or just run a specific set
DB='sqlite' bundle exec appraisal activerecord_5.2.2 rake

See the CONTRIBUTING for more information.

Special Thanks

Thanks to our Sponsors and to all the CanCanCan contributors. See the CHANGELOG for the full list.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.