How to assign edit/remove privileges for only own details and not on others?

Hello,I am quite new on rails. Currently making CRUD apps in rails 3.0
in windows.
I’ve used devise [1.1.rc0] for authentication.In those apps any logged
in user can change other user’s details.

How can I design the app, so that any logged in user can edit/remove
his details only if he wishes to do so and can only view others’
records.

After logging in he should be directed to his own page,where his
details are stored.He can only Update and Delete any of his details
there.But can only View the main page where his record will be kept
with other records.He should be able to remove or edit others’
records.

Thanks,

Pallav

Pallav_bfs wrote in post #1044557:

Hello,I am quite new on rails. Currently making CRUD apps in rails 3.0
in windows.
I’ve used devise [1.1.rc0] for authentication.In those apps any logged
in user can change other user’s details.

How can I design the app, so that any logged in user can edit/remove
his details only if he wishes to do so and can only view others’
records.

After logging in he should be directed to his own page,where his
details are stored.He can only Update and Delete any of his details
there.But can only View the main page where his record will be kept
with other records.He should be able to remove or edit others’
records.

Take a look at one of the authorization frameworks such as CanCan:

https://github.com/ryanb/cancan

On Tue, Feb 7, 2012 at 11:15, Pallav_bfs [email protected] wrote:

How can I design the app, so that any logged in user can edit/remove
his details only if he wishes to do so and can only view others’
records.

In addition to using authorization gems like CanCan, you can also do
these things yourself. Before each action in each controller, get the
current user. Before any action that would modify, or show in such a
way as to allow modifying, any records, check if the current user is
the owner of those records. If not, redirect to an error page. Also
don’t give him any links to such things! For instance, on the pages
where he can view other people’s records, don’t put an “Edit” link.

-Dave


Dave A.: Available Cleared Ruby on Rails Freelancer
(NoVa/DC/Remote) – see www.DaveAronson.com, and blogs at
www.Codosaur.us, www.Dare2XL.com, www.RecruitingRants.com

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs