Rails cancan resolves nested resources

Question

Rails cancan resolves nested resources

I have a Projects resource that is nested in a user resource.

My Cancan ability class:

class Ability include CanCan::Ability def initialize(user) #everyone can :read, Project if user.blank? # guest user ... else #every signed in user case user.role when User::ROLES[:admin] #only admin role user can :manage, :all when User::ROLES[:member] #only member role user can :update, User, :id => user.id can [:create, :update, :destroy], Project, :user_id => user.id else end end end end

And the project manager:

 class ProjectsController < ApplicationController load_and_authorize_resource :user load_and_authorize_resource :projects, :through => :user, :shallow => true ... end

I have a few questions:

Is it possible to reject: read "User" and allow: read "Project" so that everyone can access / users / 10 / projects, but not / users / 10 or / users?

How can I deny a user access: a new action with another user_id? For example, if I add

 #everyone can :read, User can :read, Project

this code allows user 42 to access user / user / 41 / projects / new.

+7

ruby-on-rails authorization cancan

David Senkus Oct 22 '10 at 5:51

source share

1 answer

David Senkus · Accepted Answer · 2010-10-22T08:55:12+0000

Solved this by doing:

 class Ability include CanCan::Ability def initialize(user) #everyone can :read, Project can :read, User # required to access nested resources cannot :index, User cannot :show, User if user.blank? # guest user ... else #every signed in user case user.role when User::ROLES[:admin] #only admin role user can :manage, :all when User::ROLES[:member] #only member role user can :update, User, :id => user.id can :manage, Project, :user => { :id => user.id } else end end end end

Rails cancan resolves nested resources

More articles: