It is possible to specify multiple `can` and `cannot` definitions with hashes and have it properly translate to a single SQL query.
```ruby
- in ability.rb
can :manage, User, id: 1
can :manage, User, manager_id: 1
cannot :manage, User, self_managed: true
```
When using `accessible_by` it will translate to SQL conditions that look like this.
```sql
not (self_managed = ‘t’) AND ((manager_id = 1) OR (id = 1))
```
If you have the following definition:
```ruby
can :manage, User, id: user.id
can :assign_roles, User do
user.admin?
end
```
and you call `can? :assign_roles, some_user` it evaluates to `true` when `current_user == some_user` because it falls back to `can :manage, User, id: user.id`.
Proper can definition should be now:
```ruby
can :manage, User, id: user.id
cannot :assign_roles, User
can :assign_roles, User if user.admin?
```