VietTH: Use gem pundit instead cancan

Gemfile

@@ -69,7 +69,8 @@ gem 'draper', '~> 2.1.0'
 
 gem 'devise', '~> 3.5.1'
 gem 'rolify', '~> 4.0.0'
-gem 'cancan', '~> 1.6.10'
+gem 'pundit', '~> 1.0.1'
+# gem 'cancan', '~> 1.6.10'
 
 gem 'carrierwave', '~> 0.10.0'
 gem 'mini_magick', '~> 3.8.1'

Gemfile.lock

@@ -47,7 +47,6 @@ GEM
     builder (3.2.2)
     byebug (5.0.0)
       columnize (= 0.9.0)
-    cancan (1.6.10)
     capistrano (3.4.0)
       i18n
       rake (>= 10.0.0)
@@ -182,6 +181,8 @@ GEM
       slop (~> 3.4)
     pry-rails (0.3.4)
       pry (>= 0.9.10)
+    pundit (1.0.1)
+      activesupport (>= 3.0.0)
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
     rack (1.6.4)
@@ -327,7 +328,6 @@ PLATFORMS
 
 DEPENDENCIES
   byebug
-  cancan (~> 1.6.10)
   capistrano-rails
   capistrano-rvm
   capistrano-sidekiq (~> 0.5.2)
@@ -352,6 +352,7 @@ DEPENDENCIES
   mini_magick (~> 3.8.1)
   mysql2
   pry-rails (~> 0.3.4)
+  pundit (~> 1.0.1)
   quiet_assets
   rails (= 4.2.3)
   rails_12factor (~> 0.0.3)

app/controllers/application_controller.rb

 class ApplicationController < ActionController::Base
+  include Pundit
   include MetaManagement
 
   rescue_from ActiveRecord::RecordNotFound, :with => :record_not_found
-  rescue_from CanCan::AccessDenied do |exception|
-    redirect_to root_path, :alert => exception.message
-  end
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 
   layout Proc.new { |controller| controller.devise_controller? ? 'devise' : 'application' }
 
@@ -26,4 +25,8 @@ class ApplicationController < ActionController::Base
     redirect_to(root_path, alert: "Resource not found")
   end
 
+  def user_not_authorized
+    redirect_to root_path, alert: 'You are not authorized to perform this action.'
+  end
+
 end
\ No newline at end of file

app/controllers/orders_controller.rb

 class OrdersController < ApplicationController
-  load_and_authorize_resource :order, only: [:show, :update]
-
   before_action :authenticate_user!
   before_action :set_order, only: [:show, :update]
+  before_action -> { authorize(@order) }, only: [:show, :update]
 
   def index
   end

app/models/ability.rb

-class Ability
-  include CanCan::Ability
-  attr_reader :user
-
-  def initialize(current_user)
-    @user = current_user || User.new # guest user (not logged in)
-
-    if user.admin?
-      permission_admin
-    else
-      permission_user
-    end
-  end
-
-  def permission_admin
-    can :manage, :all
-  end
-
-  def permission_user
-    can :read, Order do |order|
-      order.user == user
-    end
-  end
-end

app/policies/application_policy.rb

+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    scope.where(:id => record.id).exists?
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  def scope
+    Pundit.policy_scope!(user, record.class)
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      scope
+    end
+  end
+end

app/policies/order_policy.rb

+class OrderPolicy < ApplicationPolicy
+  def update?
+    user.admin?
+  end
+
+  def show?
+    record.user == user || user.admin?
+  end
+end
\ No newline at end of file

app/views/orders/show.html.haml

@@ -24,12 +24,12 @@
     .form-group
       %label.col-md-2.col-sm-3.col-xs-3.control-label Status
       .col-md-2.col-sm-9.col-xs-9.value
-        - if can?(:update, f.object)
+        - if policy(f.object).update?
           = f.select :status, Order.statuses.keys.map { |status| [status.titleize, status] }, {}, class: 'form-control'
         - else
           = f.object.status.titleize
 
-    - if can?(:update, f.object)
+    - if policy(f.object).update?
       .form-group
         %label.col-md-2.col-sm-3.col-xs-3.control-label
         .col-md-2.col-sm-4.col-xs-9