发表新帖
发表新帖

Devise + CanCan just prevent other users from editing objects

前端 未结
关注
3 960
遥遥无期
遥遥无期 2021-02-10 15:58

How would you prevent other users from editing a object, say a profile object that does - not - belong to themselves?

Most online examples are complexes with multiple us

3条回答
  • 谎友^
    谎友^ (楼主)
    2021-02-10 16:02

    UPDATE

    Seems like the above code examples where correct. After reading all of the docs of cancan rtfm ;p I found out about the role column you need to add.

    Because of the way I have my profile update action organized it seems CanCan does not work! I solved like below:

      def edit

    @profile = Profile.find params[:id]
    what = params[:what]

    if can? :update, @profile
      if ["basics", "location", "details", "photos", "interests"].member?(what)
        render :action => "edit_#{what}"
      else
        render :action => "edit_basics"
      end
    else
      raise CanCan::AccessDenied.new("Not authorized!", :update, Profile)
    end
  end

    Maybe not the cleanest way but the only way to get it to work. Any suggestions on improvements are welcome, I did have the 

      load_and_authorize_resource

    Inside profiles controller though! Perhaps a bug

    0 讨论(0)
 看不清?
提交回复
热议问题