Reputation: 5220
In Rails, what's the best practice for authorizing a user's access to a model?
I'm using Devise for user authentication and basic authentication. Let's say I have defined two reciprocal associations between Users and Cars.
- User
has_many :cars - Car
belongs_to :user
User A has a car with id 1, User B has a car with id 2.
What's the best practice for preventing User A from accessing the resource at /cars/2? I could add a before_filter for :show, :edit, :update, :destroy to each controller, but that seems tedious and repetitive. Is there any way to use Devise or CanCan for this purpose?
Upvotes: 0
Views: 227
Answers (1)
Reputation: 901
you can use CanCan for this, read more about it here https://github.com/ryanb/cancan
after adding load_and_authorize_resource to the top of your controller
you can add the following line to your ability model to only allow the cars owner to manage it
can :manage, Car, :user_id => user.id
Upvotes: 2
Related Questions
- How to restrict the access to models for different user roles in rails (cancan gem)?
- Rails authorization from scratch with operators
- In rails4 having many models, using cancancan gem, grant access to specific user to a specific model only?
- Rails: Ask user authentication before CanCan access denied
- Rails4 authorization strategies
- Cancan authorisation for a specific model
- authorizing users with cancan and devise
- Defining role-based access to the Devise User model
- Rails authorization? check in Model vs controller
- Model-level authorization in Rails