Update: After reading the answers, I think I should rephrase my question (as question 3)
From time to time I get confused as to where I should write a some conditional check: in Cancan ability or in ActiveRecord model validation?
As the first example: Say I have a folder model which can be nested. I want prevent deletion of a folder if it is the only child of the parent folder.
This should probably be model logic (as a before_destroy callback). However I would also want to hide the delete button(and block controller action), which seems like the realm of Cancan.
As the second example: I want to prevent deletion of a folder not owned by me.
This will need the use of current_user which is stored in the session. I have the impression that session related condition should not touch the model itself, so this is for Cancan. Is it correct?
Question 3:
If deleting a folder requires both:
destroyable?())Should the Cancan ability also call model.destroyable?(), or should I call model.destroyable?() separately (in view and in controller)?
IMO Cancan is about authorization: is the user allowed to delete a given resource based on who they are. Restricting resource deletion based on other criteria falls outside that purview.
This sounds like a combination of authorization and business logic. A view helper might check both if the user can? delete the resource, and that the resource is deletable?.