Protecting user privacy with CanCan

Hi all. I'm using CanCan for my app authorization and need to know how to protect privacy between users.

Say I have the following three users:

Alice Bob Charlie

Alice is an admin and should be able manage everything. Bob and Charlie are regular users and should be prevented from getting the index of users, and only be able to manage their own record. For example Bob should not be able to directly access any information about Charlie nor Alice.

class Ability   include CanCan::Ability

  def initialize(user)     user ||= # guest user (not logged in)     if user.admin?       can :manage, :all     else       can :read, :all     end   end end

Obviously these "default" abilities are not sufficient. Anyone could get the "index" of users or the "show" of any user. I need to restrict non-admins to the "show", "edit" & "update" of themselves, but have no access to anyone else.

I'm just not sure how to define these abilities.