Home/ Questions/Q 9119475
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T05:24:16+00:00

I’m new to rails and I am using devise for authentication. I have a

  • 0

I’m new to rails and I am using devise for authentication.

I have a route called /users/5/events/1/add_images to which the current_user should only have access if @user == current_user. What’s the best way to set this permission? Should this be done on the controller level?

Any help would be appreciated! Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, it should be done at the controller level.

    You can use the cancan gem for handling authorization.

    https://github.com/ryanb/cancan

    http://railscasts.com/episodes/192-authorization-with-cancan

    Roughly, you have to define the ability:

    can :add_images, Event do |event|
    event.user.id == user.id
end

    In the events_controller, add a before_filter

    before_filter :find_event # set @event
before_filter :authorize_add_images, only: :add_images

def authorize_add_images
    authorize! :add_images, @event
end

    That’s the general idea, read the doc for the rest.

    • 0