Reputation: 1175
How can I allow a user to only visit their own show page using cancan?
I've been going through the railscast on using the cancan gem but am stuck on how to only allow a user to visit their own show page.
My code looks like this:
Ability model
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role == "admin"
can :manage, :all
else
can :read, :all
if user.role == "author"
can :create, Review
can :update, Review do |review|
review.try(:user) == user
end
can :update, User do |user|
user.try(:current_user) == current_user
end
end
if user.role == "owner"
can :update, Venue
end
end
end
end
User controller
class UsersController < ApplicationController
load_and_authorize_resource
end
A user (author) can only update their own reviews, but can currently view all users show pages by altering the URL.
What am I missing here?
Upvotes: 7
Views: 5155
Answers (2)
Reputation: 2420
Constraints can be passed right in your ability class, even easier than the way you're trying. I'm sure this is missing some abilities you're looking to have, but this should get you started. I'm assuming Reviews :belong_to Users with a foreign key of :user_id. It also looks like you need some similar kind of constraint for Venues, but you didn't have it in your code so I didn't put it in this.
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role == "admin"
can :manage, :all
elsif user.role == "author"
can :create, Review
can :update, Review, :user_id => user.id
can [:show, :update], User, :id => user.id
elsif user.role == "owner"
can :update, Venue
can [:show, :update], User, :id => user.id
else
can [:show, :update], User, :id => user.id
end
end
end
Upvotes: 11
Reputation: 4737
Try adding a check in the controller for when a request comes in for /show to check that the current_user is the owner of the page/profile. Something along the lines of:
def show
@user = User.find(params[:id])
#show_page unless current_user.id != @user.id
end
Maybe flash a notice that "You don't own that page" or something similar on failure.
Upvotes: 0
Related Questions
- Cancan, allow users to only view or edit their own content
- Allow access to different views and routes with cancancan?
- how to use cancancan with displaying certain aspect of a page to certain users
- authorise view user to not access some pages in rails4 app by using cancancan
- Prevent user from accessing page if not current user
- Blocking Users From Specific Pages using Ruby on Rails and cancan
- How to get CanCan to only allow user to view their own profile in Rails?
- Rails Cancan - How to Restrict Users From Accessing Custom URL Route
- Security: using CanCan to make sure user cannot see other users' profiles
- Rails & CanCan: If user is logged in then allow him/her to view index page?