Joao Carlos Joao Carlos - 1 year ago 147
Ruby Question

RoR: CanCanCan authorize only user created items

What is wrong with this code? A normal user still being able to see all relatos, when he should only see his own.

My view code:

<% if can? :read, Relato %>
<td><%= %></td>
<td><%= %></td>
<td><%= %></td>
<td><%= relato.local.logra %></td>
<td><%= relato.time %></td>
<td><%= relato.comment %></td>
<% end %>


can :manage, :all if user.role == "admin"

if user.role == "normal"
can :read, Relato , :user_id =>
can :manage, Relato, :user_id =>

Answer Source

You need to authorize the user for a particular instance:

<%= if can? :read, relato %>

When you attempt to authorize a user for an entire class, as you do above, CanCanCan ignores any conditions defined in the Ability because it can't determine a user_id field for the entire Relato model; it can only do so for a single relato instance.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download