cancan: the difference between "manage" and the combination of "read, create, update and destroy"?

In trying to debug use of cancan i found that if use the following i can get past the accessdenied message:

  can :manage, Model

When i changed it to the following I am denied access:

  can :read, Model
  can :create, Model
  can :update, Model
  can :destroy, Model

What does manage include that the combination of read, create, update and destroy do not?

Thanks.

By default CanCan maps :read, :create etc. to the relevant controller actions e.g.:

def default_alias_actions
  {
    :read => [:index, :show],
    :create => [:new],
    :update => [:edit],
  }
end

But, of course you're not restricted to having just those actions in your controller, ultimately a controller action can have any name. By the same token you're not restricted to having just :read, :create, :update, :detroy in CanCan. You can alias any symbol to any controller action. Let us say you have an action on your controller called do_cool_things, you can then alias any symbol to that action to be used by CanCan e.g.:

alias_action :do_cool_things, :to => :coolify

You would then be able to do this:

can :coolify, Neighborhood

Which means the current user would have access to the :do_cool_things method of the NeighborhoodsController. However if you had used :manage you wouldn't need to define this separate action since :manage is a catch-all. So if you had done:

can :manage, Neighborhood

The current user would still have had access to the :do_cool_things method of the controller.

So, :manage lets you do anything, but :read, :create, :update and :destroy are only 4 of an infinite number of CanCan actions that you can define and map to any controller action you choose.

You can define custom actions (When you define a user's abilities for a given model, you are not restricted to the 7 RESTful actions (create, update, destroy, etc.), you can create your own.) If you have manage all, you wold be able to access those custom actions too.