This works for an authorize! call
can [:read,:update], brand
but CanCan::AccessDenied is thrown when the line in the Ability class is changed to:
can :update, brand
brand is not nil.
If I can :update something, shouldn't I automatically be able to :read it?
I just want to know if this is by design, or if I am missing something somewhere.
This is by design. There are just few default aliases defined:
def default_alias_actions
{
:read => [:index, :show],
:create => [:new],
:update => [:edit],
}
end
So if someone has 'update' right then he has 'edit' right. This is natural for Rails applications which follow REST style.
However you can define your own aliases very simply.