Reputation: 1573
Rails 3, Cancan: defining ability on custom controller action acting on collection, not member
I have a RESTful controller for the model UserResource. I added a custom action called remote_update and I want to limit that action only if the user's id matches:
if user.has_role? :admin
can :manage, :all
elsif user.has_role? :regular
can [:remote_update], UserResource, :user_id => user.id
end
I am using load_and_authorize_resource in the controller.
The problem is that users are still able to use that action even if their user id does not match. (To test, I am using Firebug and changing the hidden value of the id).
My route is as follows:
resources :user_resources do
collection do
post 'remote_update'
end
end
According to https://github.com/ryanb/cancan/wiki/Authorizing-controller-actions, when we have custom actions, Cancan tries to load the resource using the id, from the link:
def discontinue
# Automatically does the following:
# @product = Product.find(params[:id])
# authorize! :discontinue, @product
end
I don't have an id defined because it is a POST, not a GET or PUT. THoughts on how to construct the ability? Thank you.
Upvotes: 2
Views: 2592
Answers (1)
Reputation: 1027
It looks like you are trying to do an update ('remote_update') with a POST. A POST is supposed to create, and thus should not normally have a populated id. Thus I would not expect CanCan to do that lookup for you.
I suggest that you either:
Manually find the product and authorize it in your discontinue method,
or
Use a PUT
btw, The ability looks correct to me.
Upvotes: 1
Related Questions
- Cancancan gem defining ability
- How to authorise action in a controller using CanCan ability?
- CanCan Defining ability
- Rails - defining cancan ability using associations
- How to apply abilities to a non-restful controller in cancan
- Cancan :create ability
- How can I enable customized action with CanCan?
- Applying cancan to custom actions
- Rails cancan ability.rb
- CanCan complex ability definition