bjoern
Reputation: 1019
Setting permissions at the route level?
I'm new to rails and I am using devise for authentication.
I have a route called /users/5/events/1/add_images to which the current_user should only have access if @user == current_user. What's the best way to set this permission? Should this be done on the controller level?
Any help would be appreciated! Thanks!
Upvotes: 0
Views: 1307
Answers (1)
Robin
Reputation: 21884
Yes, it should be done at the controller level.
You can use the cancan gem for handling authorization.
https://github.com/ryanb/cancan
http://railscasts.com/episodes/192-authorization-with-cancan
Roughly, you have to define the ability:
can :add_images, Event do |event|
event.user.id == user.id
end
In the events_controller, add a before_filter
before_filter :find_event # set @event
before_filter :authorize_add_images, only: :add_images
def authorize_add_images
authorize! :add_images, @event
end
That's the general idea, read the doc for the rest.
Upvotes: 3
Related Questions
- Set different route page for non admin users (attribute) (devise gem on ruby on rails)
- How to structure authenticated routes when using Devise?
- Devise and Users Route Confilect
- Rails4+Devise: "hide" routes when user is not authenticated
- Rails+Devise: How to make some actions available only for users?
- Devise authenticated route
- Devise user paths
- Rails, devise, acl
- Scoping authorization to current devise user?
- Rails 3 - Devise: users route