show and edit are unauthorized on authorized (:manage) object

[domachine]

I've got a strange case where an object is reported as not accessible, but should be (according to accessible_by). I tested this using the following lines which should be self-descriptive (byebug in a controller):

Customer.accessible_by(current_ability, :show).count  # => 1
current_ability.can? :show, Customer.accessible_by(current_ability).first  # => false

In the show and the edit actions, this ends up in an unauthorized exception. I describe the permissions in the ability using the following code:

    if user
      return unless user.tags
      tags = user.tags.split(',')
      return if tags[0].empty?
      can :manage, Customer, tags: {name: tags}
    end

The customer model is simple:

class Customer < ActiveRecord::Base
  acts_as_taggable
end

I think this should be a working sample according to docs. Any suggestions?

[karlingen]

https://github.com/CanCanCommunity/cancancan