Home/ Questions/Q 7056707
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T03:53:57+00:00

I’m trying to restrict access to Projects that a user did not create. This

  • 0

I’m trying to restrict access to Projects that a user did not create. This seems to be working fine with:

if user.has_role?(:Student)
  can :create, Project
  can :manage, Project, :user_id => user.id
end

(Side Question: Is there a better way to write that? ^^)

However, I can still access the URL: /users/5/projects

I just can’t see the projects as expected. I’d rather it tell me that I cannot access the page, and redirect. I do have this in my application controller:

rescue_from CanCan::AccessDenied do |exception|
  redirect_to root_url, :alert => exception.message
end

But I don’t receive a redirection or error message. Do I need to add something else to the abilities to make that work?

I do have load_and_authorize_resource in both the ProjectsController and UsersController.

For the record, my routes look like this:

resources :users do
  resources :projects
end
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Try this one

    if user.has_role?(:Student)
  can :create, Project
  can :manage, Project do |P|
    user && P.user == user
end

    It will check whether current user owns the project or not. If he doesn’t own the project then he won’t be able to modify it.

    First condition is take just to check whether user object exist or not, you can also use exception handler there. Here’s an example of that:

    comment.try(:user) == user
    • 0