What is the best practice method of doing record level authorization with cancancan

Question

I want to use the ability.rb file of the cancancan gem to do record level authorization.

Let's say I have a User, which has_many Cars, which has_many Wheel.

I want to do authorization for Wheels, so that only Users which own the Car that owns the Wheel can manage it.

What is the best practice way of doing this?

score 0 · Accepted Answer · answered Dec 11 '15 at 07:05

0

You can define it like this in your ability.rb

can :manage, Wheel, car: { user_id: user.id }

For more information see:

answered Dec 11 '15 at 07:05

davidwessman

In some cases you also need to define block for rule. For example in activeadmin it was reading all records i have access to :read, but when can? :update, Article it was just not working. After i added block condition it solved issue. – Fedcomp Dec 11 '15 at 10:27

1 Answers1