Home/ Questions/Q 8689139
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T23:33:58+00:00

I have a RESTful controller for the model UserResource . I added a custom

  • 0

I have a RESTful controller for the model UserResource. I added a custom action called remote_update and I want to limit that action only if the user’s id matches:

if user.has_role? :admin
  can :manage, :all

elsif user.has_role? :regular
  can [:remote_update], UserResource, :user_id => user.id

end

I am using load_and_authorize_resource in the controller.

The problem is that users are still able to use that action even if their user id does not match. (To test, I am using Firebug and changing the hidden value of the id).

My route is as follows:

resources :user_resources do

collection do
  post 'remote_update'
end

end

According to https://github.com/ryanb/cancan/wiki/Authorizing-controller-actions, when we have custom actions, Cancan tries to load the resource using the id, from the link:

def discontinue
 # Automatically does the following:
 # @product = Product.find(params[:id])
 # authorize! :discontinue, @product
end

I don’t have an id defined because it is a POST, not a GET or PUT.
THoughts on how to construct the ability? Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It looks like you are trying to do an update (‘remote_update’) with a POST. A POST is supposed to create, and thus should not normally have a populated id. Thus I would not expect CanCan to do that lookup for you.

    I suggest that you either:

    Manually find the product and authorize it in your discontinue method,

    or

    Use a PUT

    btw, The ability looks correct to me.

    • 0