Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CanCan with load_and_authorize_resource :model, parent: true not working inside wicked controller #176

Closed
jgrannas opened this issue Jul 15, 2015 · 0 comments

Comments

@jgrannas
Copy link

I cannot get cancan to work properly using the _load_and_authorize_resource_ with the model class. Instead I had to use a redirect on before_action to redirect if they are not the owner. It was allowing access to both show and update, even though I have it dissallowed in my abilities

class CarBuilderControlller < ApplicationController
    before_action :set_car, only: [:show, :update]
    #load_and_authorize_resource :car, parent: true #THIS SHOULD WORK, RIGHT???

    def show
        ...
    end

    def update
        ... update car logic here
    end

    private

    def set_car
      @car = Car.find(params[:car_id])
      #MY TEMP FIX
      redirect_to cars_path, notice: "You do not have access to this change that." unless current_user.is_admin? || @car.user_id == current_user.id
    end

end

My Abilities:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)


    cannot :read, User
    cannot :manage, [Car,Feature]
    can :read, :all

    if user.username != nil
      can :create, [Car, Feature]
      #LIMIT BASED ON OWNERSHIP
      can [:update, :edit, :destroy], Car, :user_id => user.id
      ...
    end


  end

end
@schneems schneems closed this as completed Sep 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants