RoR: CanCanCan authorize only user created items

Question

What is wrong with this code? A normal user still being able to see all relatos, when he should only see his own.

My view code:

<% if can? :read, Relato %>
  <td><%= relato.id %></td>
  <td><%= relato.cliente.name %></td>
  <td><%= relato.projeto.name %></td>
  <td><%= relato.local.logra %></td>
  <td><%= relato.time %></td>
  <td><%= relato.comment %></td>
<% end %>

My Ability class:

can :manage, :all if user.role == "admin"

if user.role == "normal"
  can :read, Relato ,  :user_id => user.id 
  can :manage, Relato,  :user_id => user.id 
end

The poor formatting of this code makes it difficult to read, and as a result, assist. — Brad Werth, Aug 06 '15 at 17:07
@BradWerth Mods have approved edits. The code is more readable now — Alan H., Aug 06 '15 at 17:52

score 3 · Accepted Answer · answered Aug 06 '15 at 17:08

You need to authorize the user for a particular instance:

<%= if can? :read, relato %>

When you attempt to authorize a user for an entire class, as you do above, CanCanCan ignores any conditions defined in the Ability because it can't determine a user_id field for the entire Relato model; it can only do so for a single relato instance.

RoR: CanCanCan authorize only user created items

1 Answers1

Linked