Joao Carlos Joao Carlos - 1 month ago 19
Ruby Question

RoR: CanCanCan authorize only user created items

What is wrong with this code? A normal user still being able to see all relatos, when he should only see his own.

My view code:

<% if can? :read, Relato %>
<td><%= relato.id %></td>
<td><%= relato.cliente.name %></td>
<td><%= relato.projeto.name %></td>
<td><%= relato.local.logra %></td>
<td><%= relato.time %></td>
<td><%= relato.comment %></td>
<% end %>


My
Ability
class:

can :manage, :all if user.role == "admin"

if user.role == "normal"
can :read, Relato , :user_id => user.id
can :manage, Relato, :user_id => user.id
end

Answer

You need to authorize the user for a particular instance:

<%= if can? :read, relato %>

When you attempt to authorize a user for an entire class, as you do above, CanCanCan ignores any conditions defined in the Ability because it can't determine a user_id field for the entire Relato model; it can only do so for a single relato instance.

Comments