I am new at Ruby-on-Rails. I could use some help after looking around at this site and Cancan Guides. I am have trouble getting this to work for Cancan and Devise. the User (Devise) only has Prices, so Price belongs to User.
I have a user_id inside of my database for my Price migration:
create_table "prices", :force => true do |t|
t.string "price_name"
t.decimal "price"
t.date "date"
t.datetime "created_at"
t.datetime "updated_at"
t.integer "user_id"
end
My Prices Controller ( everything was a scaffolded but the user_id which was separate from another migration into the Price table):
class PricesController < ApplicationController
before_filter :authenticate_user!
# GET /prices
# GET /prices.xml
def index
@prices = Price.all
respond_to do |format|
format.html # index.html.erb
format.xml { render :xml => @prices }
end
end
# GET /prices/1
# GET /prices/1.xml
def show
@price = Price.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @price }
end
end
# GET /prices/new
# GET /prices/new.xml
def new
@price = Price.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @price }
end
end
# GET /prices/1/edit
def edit
@price = Price.find(params[:id])
end
# POST /prices
# POST /prices.xml
def create
@price = current_user.prices.build(params[:price])
respond_to do |format|
if @price.save
format.html { redirect_to(@price, :notice => 'Price was successfully created.') }
format.xml { render :xml => @price, :status => :created, :location => @price }
else
format.html { render :action => "new" }
format.xml { render :xml => @price.errors, :status => :unprocessable_entity }
end
end
end
# PUT /prices/1
# PUT /prices/1.xml
def update
@price = Price.find(params[:id])
respond_to do |format|
if @price.update_attributes(params[:price])
format.html { redirect_to(@price, :notice => 'Price was successfully updated.') }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @price.errors, :status => :unprocessable_entity }
end
end
end
# DELETE /prices/1
# DELETE /prices/1.xml
def destroy
@price = Price.find(params[:id])
@price.destroy
respond_to do |format|
format.html { redirect_to(prices_url) }
format.xml { head :ok }
end
end
end
And then this is my Ability.rb (app/models/ability.rb):
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
if user.admin?
can :manage, :all
cannot :destroy, User, :id => current_user.id
else
can :manage, Price, :user_id => user.id
end
end
end
My question is, how do i make it so only the current user can to edit or delete his or hers own Prices? My code keeps letting any User who is logged in do anything with anyone's Prices.
Thanks in advanced.
Updated code that works:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
can :manage, Price, :user_id => user.id
end
end
important* - remove (or comment out) edit,update,destroy,create and new instance variables (e.g. @), i was wondering why my code wasn't working and i removed the following and it did it:
def new
# @price = Price.new
def edit
# @price = Price.find(params[:id])
def create
# @price = Price.new(params[:price]) or @price = current_user.prices.build(params[:price])
def update
# @price = Price.find(params[:id])
def destroy
# @price = Price.find(params[:id])
Then at top of PricesController:
class PricesController < ApplicationController
before_filter :authenticate_user!
load_and_authorize_resource
skip_authorize_resource :only => :show