devise+cancan not blocking access to index problem wherer @proj = Proj.all
I have an app that uses Devise and CanCan. in the config>initializers>Abiliity.rb class A开发者_高级运维bility include CanCan::Ability
def initialize(user)
if user.is? :superadmin
can :manage, :all
elsif user.is? :user
can :read, Project do |project|
project && project.users.include?(user)
end
end
end
end
I have problem with the index action of Project controller, the project controller is a normal stock RESTful controller. Basically, a user who's a normal user, when logged in, can see the projects#index. But not all projects have this user as 'normal user', why isn't cancan blocking his access?
Thanks
Make sure you're calling load_and_authorize_resource
in your ProjectsController
, along the lines of:
class ProjectsController < ApplicationController
load_and_authorize_resource
#...
end
If that still doesn't work, try calling the authorize!
method inside the index action, to see if that makes a difference, eg:
class ProjectsController < ApplicationController
#...
def index
@projects = Project.all
authorize! :read, @projects
end
#...
end
精彩评论