So here is a little gotcha and solution when using CanCan and Best In Place. With the default setup, if CanCan auth fails on a best in place edit you get a redirect to your default “Auth Failed” path and that page then tries to render as javascript.
that does not work all that well!
So here is my simple solution, if we get an auth denied on a XHR request, just return a generic error!
class ApplicationController < ActionController::Base protect_from_forgery check_authorization rescue_from CanCan::AccessDenied do |exception| if request.xhr? render :json => ['You are not authorised to do that.'], :status => :unprocessable_entity else redirect_to '/', :alert => exception.message end end ... end