// the find
CanCanCommunity/cancancan
The authorization Gem for Ruby on Rails.
CanCanCan is the community-maintained continuation of Ryan Bates' original CanCan authorization gem for Rails. It centralizes access rules in a single Ability class and integrates tightly with ActiveRecord for both permission checks and record-scoped queries. Rails developers who want declarative, centralized authorization without reaching for a policy-object framework will find this familiar territory.
The accessible_by scoping is the standout feature — translating ability rules directly into SQL so you get filtered queries without writing them by hand. load_and_authorize_resource cuts controller boilerplate down to almost nothing for standard RESTful actions. The SQL strategy layer (subquery, left join, exists subquery variants) shows real thought about query performance across different association patterns. Test coverage spans multiple ActiveRecord versions via appraisals, which matters for a library that needs to survive Rails upgrades.
The single Ability class pattern scales badly — in any non-trivial app it becomes a conditional tangle that nobody wants to touch. There's no built-in support for field-level permissions beyond accessible_attributes, which is bolted on and awkward. Block-based conditions (can :read, Post) { |post| post.draft? }) break accessible_by silently — it falls back to loading all records in memory, a footgun that's easy to miss until you're in production. The project is community-maintained with modest contributor count; the original author's absence shows in how slowly certain edge cases in nested resources and STI models get resolved.