I've got Devise working in my Rails app but I can't figure out how to now lock it down so a user can only edit their own record in the users table AND in tables belonging to the user.
What am I missing here? Is this done in the controller or the model?
Devise is an authentication solution. You now need an authorization system. Have a look to Ryan Bates CanCan (github, railscasts).
I would create a helper in application_controller for current_user and remove the use of User.find
The simplest way of creating an authorization is with a boolean flag (admin true/false). For other simple solutions are cancan, as mentioned by Yannis or easy_roles KISS is recommend to start with. You may implement the edit action like this
def edit
if current_user.is_admin?
User.find(params[:id])
else
current_user
end
end
application_controller.rb
def current_user
UserSession.find
end
To limit access by the user, like a user having his/hers own tasks, do this.
def index
@tasks = current_user.tasks
end