Databases
StackOverflow2013
Postsdbo
PORails 3 ActiveAdmin CanCan. How to setup that User should only see records that belong to him?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PORails 3 ActiveAdmin CanCan. How to setup that User should only see records that belong to him?
    text
    copied!<p>I setup admin_users that belongs to a customer class (Customer is a company). So Customer has many admin_users.</p> <p>I'm trying to restrict access to Shipment records that belongs to a certain customer. I don't want customers watching other customers data. So I set this up but it seems to do nothing...</p> <p>class Ability include CanCan::Ability</p> <pre><code> def initialize(user) user ||= AdminUser.new if user.role == "administrator" can :manage, :all else cannot :create, :all cannot :update, :all cannot :destroy, :all can :read, Shipment do |shipment| shipment.customer == user.customer end end end end </code></pre> <p>And I do have this in shipments.rb ...</p> <pre><code>ActiveAdmin.register Shipment do menu :if =&gt; proc{ can?(:read, Shipment) }, :priority =&gt; 1 controller.authorize_resource index do column "File #", :sortable =&gt; :file_number do |shipment| link_to shipment.file_number, admin_shipment_path(shipment) end [... more columns ...] default_actions if can? :manage, Shipment end show :title =&gt; :file_number do panel "Shipment Details" do attributes_table_for shipment do row("File number") {shipment.file_number} row("Mode") {shipment.mode} row("Ocean Rate") { number_to_currency shipment.ocean_rate} row("Customer") { link_to shipment.customer.company_name, admin_customer_path(shipment.customer)} row("Shipper") { link_to shipment.shipper.company_name, admin_shipper_path(shipment.shipper)} row("Broker") { link_to shipment.broker.company_name, admin_broker_path(shipment.broker)} end end [...more show action stuff...] </code></pre> <p>So in the index page, all shipments get displayed and if I'm logged in as Customer A and click on Customer B's shipment I can see it, but it's supposed to block me.</p> <p>More info...</p> <pre><code>shipments_controller.rb class ShipmentsController &lt; InheritedResources::Base before_filter :authenticate_admin_user! end </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload