You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I cannot get cancan to work properly using the _load_and_authorize_resource_ with the model class. Instead I had to use a redirect on before_action to redirect if they are not the owner. It was allowing access to both show and update, even though I have it dissallowed in my abilities
class CarBuilderControlller < ApplicationController
before_action :set_car, only: [:show, :update]
#load_and_authorize_resource :car, parent: true #THIS SHOULD WORK, RIGHT???
def show
...
end
def update
... update car logic here
end
private
def set_car
@car = Car.find(params[:car_id])
#MY TEMP FIX
redirect_to cars_path, notice: "You do not have access to this change that." unless current_user.is_admin? || @car.user_id == current_user.id
end
end
My Abilities:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
cannot :read, User
cannot :manage, [Car,Feature]
can :read, :all
if user.username != nil
can :create, [Car, Feature]
#LIMIT BASED ON OWNERSHIP
can [:update, :edit, :destroy], Car, :user_id => user.id
...
end
end
end
The text was updated successfully, but these errors were encountered:
I cannot get cancan to work properly using the _load_and_authorize_resource_ with the model class. Instead I had to use a redirect on before_action to redirect if they are not the owner. It was allowing access to both show and update, even though I have it dissallowed in my abilities
My Abilities:
The text was updated successfully, but these errors were encountered: