How can I use cancan to stop a user from editing other users profiles?

How can I set an ability to allow a user to only edit their own profile? The edit link is placed in their own show page like so:

<% if can? :update, User %>
  <div class="b开发者_开发技巧utton">
    <%= link_to 'edit my profile', edit_user_path(@user) %>
  </div>
<% end %>

The ability currently looks like this:

if user.role == "author"
  can :create, Review
  can :update, Review do |review|
    review.try(:user) == user
  end
  can :update, User, :id => user.id
end

I have load_and_authorize_resource in the user controller too.

But this doesn't work, the user (with role of author) can still see and use the edit button on all users show pages.

What am I doing wrong here?

Thanks very much for any help its much appreciated!

Should be:

<% if can? :update, @user %>

You need to pass the actual object instance instead of the class.