Forum: Ruby on Rails Protecting user privacy with CanCan

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2013-08-01 04:48
Hi all. I'm using CanCan for my app authorization and need to know how
to protect privacy between users.

Say I have the following three users:

Alice
Bob
Charlie

Alice is an admin and should be able manage everything. Bob and Charlie
are regular users and should be prevented from getting the index of
users, and only be able to manage their own record. For example Bob
should not be able to directly access any information about Charlie nor
Alice.

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.admin?
      can :manage, :all
    else
      can :read, :all
    end
  end
end

Obviously these "default" abilities are not sufficient. Anyone could get
the "index" of users or the "show" of any user. I need to restrict
non-admins to the "show", "edit" & "update" of themselves, but have no
access to anyone else.

I'm just not sure how to define these abilities.
This topic is locked and can not be replied to.