Check if current_user is the owner of a resource and allow edit/delete actions

Check this railscasts,

http://railscasts.com/episodes/192-authorization-with-cancan

Complications you will run into,

  1. When you want cancan authorization on User Model that Devise gem is using for authentication

  2. When you want to store your Roles in the Database

  3. When you want to assign Permissions to the Roles as an Admin from the webUI

  4. and more ..

Please comment if you want any of those features, I will be happy to help, because I recently did them with great help from others and its always amazing to pass it on.

A sample Ability for your resources can be like as follows,

class Ability
  include CanCan::Ability

  def initialize(user)

      user ||= User.new # guest users
      send(user.role.name)

        if user.role.blank?
          can :read, User #for guest without roles
        end

  end

  def man
    can :manage, Photo
  end


  def boy
    can :read, Photo
  end

  def kid
    can :read, Article
  end

end

In your PhotosController:

before_filter :require_permission, only: :edit

def require_permission
  if current_user != Photo.find(params[:id]).user
    redirect_to root_path
    #Or do something else here
  end
end

You can make use of Rails' associations and write it like this:

def edit
  @photo = current_user.photos.find(params[:id])

  # ... do everything else
end

This will only find a record when the photo with the supplied ID belongs to the current user. If it doesn't, Rails will raise a ActiveRecord::RecordNotFound exception.

Of course, I'm assuming the current_user method is available and your User model contains the statement has_many :photos.


I captured the exception from within a before_filter action:

before_action :set_photo, only: [:edit, :update, :destroy]

def set_photo
  @photo = current_user.photos.find(params[:id])

  rescue ActiveRecord::RecordNotFound
    redirect_to(root_url, :notice => 'Record not found')
end

Hope this helps someone. I'm using Rails 4 and Ruby 2.