Forum: Ruby on Rails Protecting user privacy with CanCan

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2013-08-01 04:48
Hi all. I'm using CanCan for my app authorization and need to know how
to protect privacy between users.

Say I have the following three users:


Alice is an admin and should be able manage everything. Bob and Charlie
are regular users and should be prevented from getting the index of
users, and only be able to manage their own record. For example Bob
should not be able to directly access any information about Charlie nor

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= # guest user (not logged in)
    if user.admin?
      can :manage, :all
      can :read, :all

Obviously these "default" abilities are not sufficient. Anyone could get
the "index" of users or the "show" of any user. I need to restrict
non-admins to the "show", "edit" & "update" of themselves, but have no
access to anyone else.

I'm just not sure how to define these abilities.
This topic is locked and can not be replied to.