I have a basic authorization class in a Rails application which looks like this:
class Ability
include CanCan::Ability
def initialize(user)
if user
can :access, :rails_admin # only allow admin users to access Rails Admin
can :dashboard
if user.admin?
can :manage, :all
else
can :manage, [Agreement, Attachment, Contact, Deadline, Event, Image, Photo, Project, Submission, Talk]
can :update, User, id: user.id
end
end
# Current user cannot delete his account
cannot :destroy, User, id: user.id
end
end
Now, I get an unauthorized error when trying to access the dashboard with a simple user, but once I put can :manage, :all for a simple user condition it is misteriouslly let through and see the dashboard.
What is :manage, :all having more than :manage, [All_my_tables] and why is my user not let in using this way?
Aucun commentaire:
Enregistrer un commentaire