So I got CanCan and Devise working well. I have two types of users:
Admins and Nonadmins. Admins can view ALL appointments from the same
Account or Organization.
The problem is, every user (either Admin or Nonadmin) belongs to an
Account or Organization. Admins should only be able to view appointments
from
their own Account or Organization.
Can’t get it to do it.
Every appointment has an account_id
Every user has an account_id
So this is what I have on ABILITY.RB
can :read, Appointment do |appointment|
appointment.try(:account_id) == user.account_id
end
But I keep on watching Appointments of OTHER ACCOUNTS on the INDEX.
whyyyy?