Setup cancancan that user couldn't destroy itself

Question

I'm setting up cancancan to implement this function: if the user is admin, it can destroy every user but himself. This is my ability.rb

 class Ability
    include CanCan::Ability

    def initialize(user)
    if user.role == 'admin'
      cannot :destroy, User, id: user.id
    end
    end
end

And here's my view

<h1>Listing Users</h1>

<table>
  <thead>
  <tr>
    <th>E-Mail</th>
    <th>Name</th>
    <th>Role</th>
    <th colspan="3"></th>
  </tr>
  </thead>

  <tbody>
  <% @users.each do |user| %>
      <tr>
        <td><%= user.email %></td>
        <td><%= user.name %></td>
        <td><%= user.role %></td>
        <% if can? :destroy, @user %>
        <%= link_to 'Destroy', user, method: :delete, data: { confirm: 'Are you sure?' } %>
        <% end %>
      </tr>
  <% end %>
  </tbody>
</table>

And even with this setup there's no destroy link at the end of every user now. What I want is that there's a destroy link behind every users but the admin himself. What should I do? Thanks!

score 0 · Answer 1 · answered Feb 18 '16 at 04:21

0

Just because an admin cannot destroy itself, does not give it permission to destroy other users. You could try giving it destroy permissions.

class Ability
  include CanCan::Ability

  def initialize(user)
    if user.role == 'admin'
      cannot :destroy, User, id: user.id
    else
      can :destroy, User
    end
  end
end

answered Feb 18 '16 at 04:21

Dillon Hafer

156
1
8

Still the same, no destroy links next to all the user info – DevArenaCN Feb 18 '16 at 05:07

score 0 · Accepted Answer · answered Feb 18 '16 at 10:06

Your main issue is that you're calling if can? :destroy, @user when @user doesn't exist:

<% @users.each do |user| %>
  <% if can? :destroy, user %>
<% end %>

If the original answer does not work, perhaps you'd be better using a block to evaluate the user object:

#app/models/ability.rb
class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new
    case user.role
      when "admin"
        cannot :destroy, User do |x|
          x.id == user.id
        end
      end
    end
  end
end

This will allow you to use:

<%= link_to 'Destroy', user, method: :delete, data: { confirm: 'Are you sure?' } if can? :destroy, user %>

... although fixing the first issue, I think, will resolve your issue.

Still do not let me delete the user – DevArenaCN Feb 18 '16 at 18:23 — DevArenaCN, Feb 18 '16 at 18:23

Setup cancancan that user couldn't destroy itself

2 Answers2