I have a Rails 3 application that has Categories. A category can be administered by somebody with the Category Owner role. But the Category Owner should only be able to access Categories that he owns, not others. I can lock down the admin functions using CanCan, but I need to restrict the specific categories themselves.
views:
17answers:
1
+1
A:
You can do it in one of two ways.
You can either specify a hash of attributes to restrict access in your Ability class.
can :manage, Category, :user_id => user.id
Or you can use a block:
can :manage, Category do |c|
c && c.user_id == user.id
end
These both check whether the user_id attribute on the category you are checking against matches the user you are checking for.
These are described under Defining Abilities with Hashes and Defining Abilities with Blocks respectively in the CanCan documentation.
Shadwell
2010-10-05 16:14:57
Thanks! I'm so buried in Rails 3 I guess I didn't RTFM the CanCan docs!
AKWF
2010-10-05 17:05:49