Forum: Ruby on Rails Protecting user privacy with CanCan

280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2013-08-01 04:48
Hi all. I'm using CanCan for my app authorization and need to know how
to protect privacy between users.

Say I have the following three users:


Alice is an admin and should be able manage everything. Bob and Charlie
are regular users and should be prevented from getting the index of
users, and only be able to manage their own record. For example Bob
should not be able to directly access any information about Charlie nor

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= # guest user (not logged in)
    if user.admin?
      can :manage, :all
      can :read, :all

Obviously these "default" abilities are not sufficient. Anyone could get
the "index" of users or the "show" of any user. I need to restrict
non-admins to the "show", "edit" & "update" of themselves, but have no
access to anyone else.

I'm just not sure how to define these abilities.
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.