I successfully made login system with Devise and CanCan, and I have 3 types of users. Admin, internal and global users. I created Controllers and index actions: Admin, Cpanel, Report and State, and I want to restrict access to this controllers for some users.
Admin user should have privilegies to access: Reports(all), State (read), Admin (all)
Global user should have privilegies to access: Reports(only read), State(read), Cpanel(all)
Internal user should have privilegies to access: Reports(all), State (read)
And I tried to do this with following code in ability.rs:
class Ability include CanCan::Ability
def initialize(user) user ||= User.new # guest user (not logged in)
if user.role? :admin can :manage, [Report, Admin] can :read, State elsif user.role? :global_user can :read, [Report, State] can :manage, Cpanel elsif user.role? :internal_user can :manage, Report can :read, State end end end At this time I have only index actions in this controllers, and when I login to app with internal user I CAN access to /admin for example, and that is not behavior that I want. I want to restrict access to all controllers instead of controllers listed in ability.rb class.
Source code is here: http://cl.ly/2E292R2m2B0X141q3C0S