diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 28a4f5d..867b30e 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,6 +1,8 @@ class UsersController < ApplicationController - skip_before_filter :require_login, :only => [:index, :new, :create, :activate] + skip_before_filter :require_login, :only => [ :new, :create, :activate] + load_and_authorize_resource + skip_authorize_resource :only => [ :new, :create, :activate ] # GET /users # GET /users.xml @@ -45,6 +47,7 @@ def edit # POST /users.xml def create @user = User.new(params[:user]) + @user.roles = 'user' respond_to do |format| if @user.save diff --git a/app/models/ability.rb b/app/models/ability.rb index 24d4e51..9aa3506 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -8,8 +8,11 @@ def initialize(user) if user.role? :admin can :manage, :all - else + elsif user.role? :user can :manage, User, :id => user.id + can :read, :all + else + can :read, :all end # The first argument to `can` is the action you are giving the user permission to do. diff --git a/app/views/user_sessions/edit.html.erb b/app/views/user_sessions/edit.html.erb index bdd270e..3a80dac 100644 --- a/app/views/user_sessions/edit.html.erb +++ b/app/views/user_sessions/edit.html.erb @@ -3,4 +3,4 @@ <%= render 'form' %> <%= link_to 'Show', @user_session %> | -<%= link_to 'Back', user_sessions_path %> +<%= link_to 'Back', root_path %> diff --git a/app/views/user_sessions/new.html.erb b/app/views/user_sessions/new.html.erb index 8409743..2cee3b0 100644 --- a/app/views/user_sessions/new.html.erb +++ b/app/views/user_sessions/new.html.erb @@ -6,4 +6,4 @@