I have an app that is using CacCan and Devise. I am having Devise handle the User destroy action
The route
DELETE /users(.:format) devise/registrations#destroy
My Controller
class UsersController < ApplicationController
skip_before_filter :authenticate_user!, :only => :portfolio
def index
redirect_to dashboard_user_path(current_user)
end
def dashboard
...
end
def portfolio
end
end
My ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
if user.role?('Administrator')
can :access, :rails_admin
can :dashboard
can :manage, :all
else
cannot :destroy, User
can :read, :all
...
end
end
end
This code above does not work. A user who is not an administrator still has the ability to delete a user. I am assuming the reason is that I do not have UsersController#destroy method.
So my question is, How do I make CanCan prevent a user who is not an administrator from being able to delete a user?
Any help would be greatly appreciated.
Thanks