I have Codes nested under Companies in my routes.
resources :companies, except: [:destroy] do resources :codes, except: [:destroy] end
Ability:
can :read, Company do |c|
user.has_role? :operator, c
end
can :read, Code do |c|
user.has_role? :operator, code.company
end
My CodesController checks for
before_filter :set_code, only: [:show, :edit, :update, :activate, :deactivate]
load_and_authorize_resource :except => :create #TODO fix as cancan updates
def index
if params[:company_id]
...
If I access /companies/1/codes, where my user shouldn't have access, I see no results. However if I try to view /companies/1 directly, I get CanCan AccessDenied.
Why doesn't this show in the nested index?
You should also do a load_and_authorize_resource of your parent model in the codes controller:
load_and_authorize_resource :company
followed by loading your code resource through your company:
load_and_authorize_resource :company
load_and_authorize_resource :code, through: :company
I don't see any added value in your before_filter, as this is exactly what CanCan will do for you...