I’ve got an app that uses Devise, CanCan and Rolify to deal with authentication

Question

0

Asked: June 12, 20262026-06-12T02:25:54+00:00 2026-06-12T02:25:54+00:00

I’ve got an app that uses Devise, CanCan and Rolify to deal with authentication

0

I’ve got an app that uses Devise, CanCan and Rolify to deal with authentication and authorization. But I don’t think I’m using these gems to the full extent. Right now the only thing in my ability class is this:

class Ability

  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.has_role? :admin
      can :manage, :all
    else
      can :read, :all
    end
  end
end

I found a security hole where an authenticated user is able to look at other user profiles. I fixed it by changing some code in the user controller.

def show
  @user = current_user.has_role?(:admin) ? User.find(params[:id]) : current_user
end

Is this the best way to deal with this hole? Is there a best practice or a rails convention that addresses this in a different way?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-12T02:25:56+00:00

Editorial Team

2026-06-12T02:25:56+00:00Added an answer on June 12, 2026 at 2:25 am

From the doc:

can :read, ModelName, :user_id => user.id

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve got an app that uses Devise, CanCan and Rolify to deal with authentication

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply