Have you ever noticed that CanCan does not perform the ability check on the destroy action of the controllers, even if you authorize_resource ?
You need to add, inside your destroy action, an explicit authorization check, just like:
def destroy
authorize! :destroy, @event
...
endCheck the link for more info:
https://github.com/ryanb/cancan/issues/626
