Setup Devise to only allow editing of own records?

I've got Devise working in my Rails app but I can't figure out how to now lock it down so a user can only edit their own record in the users table AND in tables belonging to t开发者_如何转开发he user.

What am I missing here? Is this done in the controller or the model?

I would create a helper in application_controller for current_user and remove the use of User.find

The simplest way of creating an authorization is with a boolean flag (admin true/false). For other simple solutions are cancan, as mentioned by Yannis or easy_roles KISS is recommend to start with. You may implement the edit action like this

def edit
 if current_user.is_admin?
   User.find(params[:id])
 else
    current_user
 end
end

application_controller.rb

def current_user
  UserSession.find
end

To limit access by the user, like a user having his/hers own tasks, do this.

def index
  @tasks = current_user.tasks
end

Devise is an authentication solution. You now need an authorization system. Have a look to Ryan Bates CanCan (github, railscasts).