Hi all. I’m using CanCan for my app authorization and need to know how
to protect privacy between users.
Say I have the following three users:
Alice
Bob
Charlie
Alice is an admin and should be able manage everything. Bob and Charlie
are regular users and should be prevented from getting the index of
users, and only be able to manage their own record. For example Bob
should not be able to directly access any information about Charlie nor
Alice.
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, :all
else
can :read, :all
end
end
end
Obviously these “default” abilities are not sufficient. Anyone could get
the “index” of users or the “show” of any user. I need to restrict
non-admins to the “show”, “edit” & “update” of themselves, but have no
access to anyone else.
I’m just not sure how to define these abilities.