Hi all. I'm using CanCan for my app authorization and need to know how
to protect privacy between users.
Say I have the following three users:
Alice
Bob
Charlie
Alice is an admin and should be able manage everything. Bob and Charlie
are regular users and should be prevented from getting the index of
users, and only be able to manage their own record. For example Bob
should not be able to directly access any information about Charlie nor
Alice.
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, :all
else
can :read, :all
end
end
end
Obviously these "default" abilities are not sufficient. Anyone could get
the "index" of users or the "show" of any user. I need to restrict
non-admins to the "show", "edit" & "update" of themselves, but have no
access to anyone else.
I'm just not sure how to define these abilities.
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/9a5d2ef53e344f2ebcf981893ac2d468%40ruby-forum.com.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment