How to manage permissions with CanCan on namespaced web app?

Question

I am experiencing some problems setting permissions on my Rails 3 web application. I currently use Devise and CanCan. I have a single User model, used by Devise. The roles are admin, manager and user.

My solution uses namespaces to separate administration panels.

Root (frontend)
 - static pages
Manager
 - administration pages for "manager" roled users.
Backend
 - administration pages for "admin" roled users.

I read documentation and some tutorials but I can make it working. My problem is that CanCan checks ability with the action that the user is trying to execute on models.

So, if a user is logged as manager and has to manage his own Posts, he can do it by going on /manager/posts. But the problem is that he also can go to /backend/posts directory and can index Posts which he is not owner.

This problem happens because ability class tells that managers can index the Post model, but managers and admins, both are working on the Post model.

Is there a way to specify the namespace where the user is allowed to access, or not?

I saw there is many ways like using namespaced models (Backend::Posts Manager::Posts, using different tables)...

What is the best solution to manage permissions on a namespaced app where roles are working on same models, with Devise and CanCan?

Answer 1

Problem solved with this solution: https://github.com/ryanb/cancan/wiki/Authorization-for-Namespaced-Controllers