Home/ Questions/Q 7439139
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T10:39:47+00:00

Hello I’m actually using Ryan’ Bates cancan gem authorization to make my application’s users

  • 0

Hello I’m actually using Ryan’ Bates cancan gem authorization to make my application’s users to only manage the data that they create.I’m using Sorcery gem to handle authentification.

models/ability.rb 

class Ability
  include CanCan::Ability

  def initialize(user)
       user ||= User.new # guest user (not logged in)
       if user
        can :manage, Profile, :user_id => user.id
        can :manage, Album, :user_id => user.id
       end

  end
end

controllers/albums_controllers.rb

# -*- encoding : utf-8 -*-
class AlbumsController < ApplicationController

    # Authentification before accessing Albums
    before_filter :require_login, :except => [:not_authenticated]
    load_and_authorize_resource


  def index
    @albums = Album.all

    respond_to do |format|
      format.html # index.html.erb
      format.json { render json: @albums }
    end
  end


  def show
    @album = Client.find(params[:id])
    authorize! :show, @album

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @album }
    end
  end


  def new
    @album = Album.new

    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @album }
    end
  end

  def edit
    @album = Album.find(params[:id])
     authorize! :edit, @album
  end


  def create
    @album = Album.new(params[:album])

    respond_to do |format|
      if @album.save
        format.html { redirect_to @album, notice: 'album was successfully created.' }
        format.json { render json: @album, status: :created, location: @album }
      else
        format.html { render action: "new" }
        format.json { render json: @album.errors, status: :unprocessable_entity }
      end
    end
  end


  def update
    @album = Album.find(params[:id])
     authorize! :update, @album

    respond_to do |format|
      if @album.update_attributes(params[:album])
        format.html { redirect_to @album, notice: 'Album was successfully updated.' }
        format.json { head :ok }
      else
        format.html { render action: "edit" }
        format.json { render json: @album.errors, status: :unprocessable_entity }
      end
    end
  end


  def destroy
    @album = Album.find(params[:id])
    @album.destroy

    respond_to do |format|
      format.html { redirect_to albums_url }
      format.json { head :ok }
    end
  end
end

But after this a user can still operate on another user’s data.What am I missing to do.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    load_and_authorize_resource automatically provides you with @albums (so there is no need to set it again in index. So in the following:

    def index
  @albums = Album.all
   .....# some code
end

    @albums is being loaded again with all the albums, that’s why it is showing them all. You can replace that with this:

    def index
  @albums = Album.accessible_by(current_ability)
   .....# some code
end

    But even this is not required as load_and_authorize_resource populates @albums with the correct albums for the current user. So the following would suffice: 

    def index
   .....# some code
end

    will give you the same result. This is the power of cancan.Also, instead of load_and_authorize_resource, you can use authorize_resource or load_resourse separately. More details here

    • 0