diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 28a4f5d..867b30e 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,6 +1,8 @@ class UsersController < ApplicationController - skip_before_filter :require_login, :only => [:index, :new, :create, :activate] + skip_before_filter :require_login, :only => [ :new, :create, :activate] + load_and_authorize_resource + skip_authorize_resource :only => [ :new, :create, :activate ] # GET /users # GET /users.xml @@ -45,6 +47,7 @@ def edit # POST /users.xml def create @user = User.new(params[:user]) + @user.roles = 'user' respond_to do |format| if @user.save diff --git a/app/models/ability.rb b/app/models/ability.rb index 24d4e51..9aa3506 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -8,8 +8,11 @@ def initialize(user) if user.role? :admin can :manage, :all - else + elsif user.role? :user can :manage, User, :id => user.id + can :read, :all + else + can :read, :all end # The first argument to `can` is the action you are giving the user permission to do. diff --git a/app/views/user_sessions/edit.html.erb b/app/views/user_sessions/edit.html.erb index bdd270e..3a80dac 100644 --- a/app/views/user_sessions/edit.html.erb +++ b/app/views/user_sessions/edit.html.erb @@ -3,4 +3,4 @@ <%= render 'form' %> <%= link_to 'Show', @user_session %> | -<%= link_to 'Back', user_sessions_path %> +<%= link_to 'Back', root_path %> diff --git a/app/views/user_sessions/new.html.erb b/app/views/user_sessions/new.html.erb index 8409743..2cee3b0 100644 --- a/app/views/user_sessions/new.html.erb +++ b/app/views/user_sessions/new.html.erb @@ -6,4 +6,4 @@

Forgot Password?

<%= render 'forgot_password_form' %> -<%= link_to 'Back', user_sessions_path %> +<%= link_to 'Back', root_path %> diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb index 9b9f71c..562339b 100644 --- a/app/views/users/index.html.erb +++ b/app/views/users/index.html.erb @@ -12,13 +12,17 @@ <% @users.each do |user| %> <%= user.email %> - <%= link_to 'Show', user %> - <%= link_to 'Edit', edit_user_path(user) %> - <%= link_to 'Destroy', user, :confirm => 'Are you sure?', :method => :delete %> + <% if can? :read, User %> + <%= link_to 'Show', user %> + <% end %> + <% if can? :update, User %> + <%= link_to 'Edit', edit_user_path(user) %> + <% end %> + <% if can? :destroy, User %> + <%= link_to 'Destroy', user, :confirm => 'Are you sure?', :method => :delete %> + <% end %> <% end %>
- -<%= link_to 'New User', new_user_path %> diff --git a/db/seeds.rb b/db/seeds.rb index a74fc71..7d22931 100644 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -13,3 +13,7 @@ user = User.create :email => 'user@test.com', :password => 'user', :password_confirmation => 'user' user.roles = 'user' user.save + +test = User.create :email => 'test@test.com', :password => 'test', :password_confirmation => 'test' +test.roles = 'user' +test.save