Limit access of active admin using cancancan

Question

I want to prohibit admin from seeing the data of a user (which user added manually). Admin should only see the data which he added from admin panel. I'm using cancancan gem and active admin gem.

This is the ability.rb file, where cancancan is used:

def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.admin?
      can :manage, :all
    else
      can :manage, WebCred, user_passes: {user_id: user.id}
    end
    index do
    selectable_column
    id_column
    column :email
    column :current_sign_in_at
    column :sign_in_count
    column :created_at
    actions
  end
  filter :email
  filter :current_sign_in_at
  filter :sign_in_count
  filter :created_at
  form do |f|
    f.inputs do
    f.input :email
    f.input :password
    f.input :password_confirmation
  end
  f.actions
end

This is the file of my active admin. I want to prohibit admin from seeing the passord [sic] of the webcred which user added manually, while allowing admin to see the password that he added.

Answer 1

You can add a new ability by passing a block for evaluating the condition (The block must evaluate to true when the admin should not be able to see the password).

def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.admin?
        can :manage, :all
        cannot :see_password, WebCred do |web_cred|
            web_cred.password_created_by_user_himself? ###Your condition here
        end
    else
        can :manage, WebCred, user_passes: {user_id: user.id}
    end
end

Then in your view or controller you can check this ability using can? :see_password, WebCred.find(:id).