Access model and Restrict controller actions #557

jmaniv opened this Issue Feb 3, 2012 · 1 comment


None yet
2 participants

jmaniv commented Feb 3, 2012

I have Tool and ToolType resource.I want to set following permissions as per role

  1. Admin can manage all
  2. User can manage
    a) Tool resources(both Toolscontroller's action and Tool model)
    b) Should only be able to read the ToolType model which user_id is equal to

Menu links in layout/application.html.erb

<%=link_to "Tools", tools_url if can? :index, Tool%>
<%=link_to "ToolTypes", tool_types_url if can? :index, ToolType%>


in my ability.rb:

if user.has_role? :sysadmin
      can :manage, :all
      can :manage, Tool, :user_id =>
      can :read, ToolType, :user_id =>
      cannot :index, ToolType

My problem is: its enable tool types link in my menu even I was login as normal user.

How to access Tool resources( Tool model and ToolController's action)
and ToolType model only( restrict ToolTypeController's action).
Because while creating new Tools I need a list of ToolType and I want to restrict normal users from viewing all ToolType.


derekprior commented May 15, 2012

The :read action is an alias for :show and :index. You have declared that non :sysadmin users should be able to read and show ToolTypes that belong to them. That means they can also index the ToolTypes that belong to them - which is more specific than the later cannot call to disallow :index of all ToolTypes. I think you want to change your else block to:

can :manage, Tool, :user_id =>
can :show, ToolType, :user_id =>

If you still need assistance, please comment and we can reopen.

@derekprior derekprior closed this May 15, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment