gem CanCan help

I defined a block in my ability model

elsif admin.has_role? :manager

can [:update, :destroy, :lock, :unlock, :reset_passord], Admin do |another_admin| :employee


but it seems not to be taken in account when testing it : :manager true, :employee true

test “manager_should_be_able_to_reset_employee_password” do

sign_in @manager

ability =


assert ability.can? :reset_password, @employee

looking into the ability instance , I don’t see anything related to :employee condition … => @conditions={},

#<CanCan::Rule:0x007fd92aed1718 @match_all=false, @base_behavior=true,

@actions=[:update, :destroy, :lock, :unlock, :reset_passord],

@subjects=[Admin(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, sign_in_count: integer, current_sign_in_at: datetime, last_sign_in_at: datetime, current_sign_in_ip: string, last_sign_in_ip: string, failed_attempts: integer, unlock_token: string, locked_at: datetime, created_at: datetime, updated_at: datetime)],


@block=#Proc:0x007fd92aed1740@/Users/yves/github/local/yoogroop/app/models/backoffice_ability.rb:26, @expanded_actions=[:update, :edit, :destroy, :lock, :unlock, :reset_passord]>,

what’s wrong with my block ?

thanks for help

[SOLVED… I guess]

as per CanCan wiki ,

I passed an Admin scope

Admin class

scope :employees, Admin.joins(:roles).where(:roles => { :name => “employee”, :resource_type => nil}).select(“DISTINCT admins.*”)

in Ability model

if admin.has_role? :manager

can [:manage, :destroy, :lock, :unlock, :reset_passord], Admin.employees