This is my code for my index.html.erb scaffold
as you can see the if else stops a user to “show, edit or destroy” the
entries. However, they can create a new Rota entry by clicking New
Rotum. I can get rid of the admin part in Show, edit, destroy and
everyone will be able to do everything. But I want a user to be able to
only show edit destroy their OWN entry and not everyone elses too
because that is what happens when I authenticate a user to do this?

 <h1>Listing rota</h1>

 <table id = "tabletest">
  <thead>
    <tr>
  <th>Name</th>
  <th>Mobile</th>
  <th>Email</th>
  <th>Category</th>
  <th>Other</th>
  <th colspan="3"></th>
   </tr>
 </thead>

 <tbody>
   <% @rota.each do |rotum| %>
    <tr>
    <td><%= rotum.name %></td>
    <td><%= rotum.mobile %></td>
    <td><%= rotum.email %></td>
    <td><%= rotum.category %></td>
    <td><%= rotum.other %></td>

 <% if current_user.try(:admin?) %>
    <td><%= link_to 'Show', rotum %></td>
    <td><%= link_to 'Edit', edit_rotum_path(rotum) %></td>
    <td><%= link_to 'Destroy', rotum, method: :delete, data: {

confirm: ‘Are you sure?’ } %>

<% end %>
<% end %>

<br>
   <% if user_session %>
<%= link_to 'New Rotum', new_rotum_path %>
  <% end %>

What does the controller look like?

Try googling for “devise with cancan”

On Oct 6, 2014, at 6:53 AM, Mohammed R. [email protected]
wrote:

</thead>
<% if current_user.try(:admin?) %>

To post to this group, send email to [email protected]. To view this discussion on the web visit

https://groups.google.com/d/msgid/rubyonrails-talk/a2aa649ac285cd6d2bac5cd2c9dfe0f8%40ruby-forum.com.

For more options, visit https://groups.google.com/d/optout.

Jason Fleetwood-Boldt
[email protected]

All material Jason Fleetwood-Boldt 2014. Public conversations may be
turned into blog posts (original poster information will be made
anonymous). Email [email protected] with questions/concerns about
this.

Jason Fb wrote in post #1159167:

What does the controller look like?

class RotaController < ApplicationController
before_filter :authenticate_user!, except: ( :Welcome)
before_action :set_rotum, only: [:show, :edit, :update, :destroy]

GET /rota

GET /rota.json

def index
@rota = Rotum.all
@is_admin = current_user.try(:admin?)
end

GET /rota/1

GET /rota/1.json

def show
end

GET /rota/new

def new
@rotum = Rotum.new
end

GET /rota/1/edit

def edit
end

POST /rota

POST /rota.json

def create
@rotum = Rotum.new(rotum_params)

respond_to do |format|
  if @rotum.save
    format.html { redirect_to @rotum, notice: 'Rotum was 

successfully created.’ }
format.json { render :show, status: :created, location: @rotum }
else
format.html { render :new }
format.json { render json: @rotum.errors, status:
:unprocessable_entity }
end
end
end

PATCH/PUT /rota/1

PATCH/PUT /rota/1.json

def update
respond_to do |format|
if @rotum.update(rotum_params)
format.html { redirect_to @rotum, notice: ‘Rotum was
successfully updated.’ }
format.json { render :show, status: :ok, location: @rotum }
else
format.html { render :edit }
format.json { render json: @rotum.errors, status:
:unprocessable_entity }
end
end
end

DELETE /rota/1

DELETE /rota/1.json

def destroy
@rotum.destroy
respond_to do |format|
format.html { redirect_to rota_url, notice: ‘Rotum was
successfully destroyed.’ }
format.json { head :no_content }
end
end

private
# Use callbacks to share common setup or constraints between
actions.
def set_rotum
@rotum = Rotum.find(params[:id])
end

# Never trust parameters from the scary internet, only allow the 

white list through.
def rotum_params
params.require(:rotum).permit(:name, :mobile, :email, :category,
:other)
end
end

I will take a look at it, thanks for the advice

The before_action :set_rotum is where you want to put the access
control.

Despite what I said earlier, you don’t actually need cancan, but as an
alternative to this implementation you can use something like cancan for
access control.

In your example, you would do something like this (obviously this
example assumes you have the rotem object belonging to the user object)

def set_rotem
@rotem = current_user.rotems.find(params[:id])
if @rotem.nil?
render :html => “Not authorized”, :status => 401
end
end

or something like this:

def set_rotem
@rotem = Rotem.find(params[:id])
if @rotem.user != current_user
render :html => “Not authorized”, :status => 401
end
end

-Jason

On Oct 6, 2014, at 1:03 PM, Mohammed R. [email protected]
wrote:

GET /rota.json

end

POST /rota

   format.html { render :new }
 if @rotum.update(rotum_params)


 params.require(:rotum).permit(:name, :mobile, :email, :category,

To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/7457774d8710957cef70c7fcfa5040fd%40ruby-forum.com.
For more options, visit https://groups.google.com/d/optout.

Jason Fleetwood-Boldt
[email protected]

All material Jason Fleetwood-Boldt 2014. Public conversations may be
turned into blog posts (original poster information will be made
anonymous). Email [email protected] with questions/concerns about
this.

I am using rails-devise-pundit, It works perfect. However, I tried to
include this code in my controller, but it shows me

undefined method `set_rotum’ for #RotaController:0x000000050413e8

I’m trying to fix this as we speak, However if you have any suggestions.
Please try and help. Thanks.

I do not have a controller for user, I have it for rota but I do have a
model called user and rotum. I put belongs_to :user in the Rotum model
and has_many :rotum in the User model.

Here they are:

class User < ActiveRecord::Base
has_many :rotum

Include default devise modules. Others available are:

:confirmable, :lockable, :timeoutable and :omniauthable

devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
end

class Rotum < ActiveRecord::Base
belongs_to :user
validates_presence_of :name, :mobile, :email, :category, :other
end

Hopefully I’d have fixed this soon buty please try and help if you can
further. Thanks,

Rashid