Devise + CanCan: Defined CRUD like told in Tut, now how to restrict usage of controller

1
votes

i created a Devise with CanCan integration like told on:
http://starqle.com/articles/rails-3-authentication-and-authorization-with-devise-and-cancan-part-1/
http://starqle.com/articles/rails-3-authentication-and-authorization-with-devise-and-cancan-part-2/

now i have two resources for my User class. Devise and a RESTful resources :users.
as mentioned in the tutorial, i included in the RESTful edit_user_path a form for editing the rights for the user. now i don't understand how i can restrict normal users to access that edit function and use devise edit function for that.

Is it possible to just restrict a user to

can :manage, User

but he still can manage devise controller?

Solved

Just can add an in ability.rb

can :assign_roles, User

and then in _form for RESTful edit

<% if can? :assign_roles, current_user %>

and then let Users edit either over RESTful _form or Devise form, doesn't matter then

Edit

_form.html.erb (or haml)

<% if can? :assign_roles, @user %>

may work too. depends on your controller. should work better since i have made a bit workaround to fit it to current_user

1
ruby-on-rails

1 Answers

0
votes

If you want to be sure that your abilities get checked also on controller level, you should add load_and_authorize_resource to it.

class ProductsController < ActionController::Base
  load_and_authorize_resource
end

https://github.com/ryanb/cancan/wiki/authorizing-controller-actions

if you just show / hide the links in the view depending on the <% if can? %> method, a user might still type the direct link to e.g. edit action in the adress bar