I trying to define my abilities as following:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role == 'admin'
can :manage, :all
elsif user.role == 'member'
can :manage, [User,Post] , :id => user.id
cannot :index, User # list users page
else
can :read, :all
end
end
end
And have included load_and_authorize_resource on top of my PostsController.
If I understand the definitions, guest users SHOULDN'T have access to the create action from PostsController but they do.
Any explanation for this behaviour?
EDIT
Solved!
Just realized that I have forgot to add an before_filter :authenticate_user! since I'm using Devise for authentication.
