Hi all. I'm using CanCan for my app authorization and need to know how to protect privacy between users.
Say I have the following three users:
Alice Bob Charlie
Alice is an admin and should be able manage everything. Bob and Charlie are regular users and should be prevented from getting the index of users, and only be able to manage their own record. For example Bob should not be able to directly access any information about Charlie nor Alice.
class Ability include CanCan::Ability
def initialize(user) user ||= User.new # guest user (not logged in) if user.admin? can :manage, :all else can :read, :all end end end
Obviously these "default" abilities are not sufficient. Anyone could get the "index" of users or the "show" of any user. I need to restrict non-admins to the "show", "edit" & "update" of themselves, but have no access to anyone else.
I'm just not sure how to define these abilities.