CODEWITHSUNDEEP
rubyruby-on-rails-3authenticationdevisecancan
jibiel
jibiel

Reputation: 8303

Devise & CanCan — Issues with CanCan 2.0 API

I'd like to have additional attributes for my User model and don't want to create a separate Profile model. I'm trying to update custom fields with standart «update» from RESTful set of actions:

class UsersController < ApplicationController
  before_filter :authenticate_user!
  # ...
  def update
    @user = User.find(params[:id])
    authorize! :update, @user
    respond_to do |format|
      if @user.update_attributes(params[:user])
        format.html { redirect_to @user, notice: 'User was successfully updated.' }
        format.json { head :ok }
      else
        format.html { render action: "edit" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end
end

And it all goes fine except the fact that the current_user is able to update any user's profile. It seems I can't restrict any User action. I've tried:

can :update, User, :id => user.id

and

cannot :update, User # at all

with no luck. Using Devise 1.5.0 and CanCan 2.0.0.alpha

Here's my ability.rb

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new(:role => nil) # guest user (not logged in)
    can :access, :all
    if user.admin?
      can :manage, :all
    else
      can :read, Review
      if user.customer?
        can :update, User, :id => user.id
        can [:create, :update, :destroy], Review, :user_id => user.id
      end
    end
  end
end

Upvotes: 2

Views: 511

Answers (1)

tmaximini
tmaximini

Reputation: 8503

Code looks good to me. What if you try to simplify the second condition first and take out the customer condition? And maybe take out "can :access, :all

Something like:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new(:role => nil) # guest user (not logged in)
    if user.admin?
      can :access, :all
    else
      can :read, :all
      can :update, :users, :id => user.id
      can [:create, :update, :destroy], :reviews, :user_id => user.id
    end
  end
end

Does your restriction work for Reviews (that user can only edit his own reviews) ? I have a similar ability file but I always work with a seperate profile model..

Upvotes: 1

Related Questions