Devise + CanCan just prevent other users from editing objects

How would you prevent other users from editing a object, say a profile object that does - not - belong to themselves?

Most online examples are complexes with multiple user roles, i haven't been able to get this working, must be simple though:

  def initialize(user)

      can :update, Profile do |profile|
        profile.try(:user) == current_user


And inside my ProfilesController#edit

authorize! :update, @profile


First question is, have you made your roles for the User?


class User < ActiveRecord::Base
  attr_accessible :email, :password, :remember_me
  devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, # regular devise stuff
  before_create :setup_default_role_for_new_users

  ROLES = %w[admin default banned]


  def setup_default_role_for_new_users
    if self.role.blank?
      self.role = "default"

As you can see I have 3 different roles here and when a new user is created they are always default users. Now with CanCan set up, lets say you wanted to have the admin be able to do everything, the default users be able to do everything with their own profiles, banned users cannot do anything and guest users be able to see profiles:

class Ability
  include CanCan::Ability
  # Remember that CanCan is for a resource, meaning it must have a class(model).

  def initialize(user)
    user ||= # guest user (not logged in)

    if user.role == "admin"
      can :manage, :all
    elsif user.role == "default"
      can :manage, Profile, :user_id =>
    elsif user.role == "banned"
      cannot :manage, :all
      can :read, Profile # guest user

So that's how you let users edit only their own profiles and nobody elses.

Some other handy notes: Make sure you have a user_id column in your Profile table. Also if you may need to let guess users see profiles like this:

class ProfileController < ApplicationController
    before_filter :authenticate_user!, :except => :show

They won't be able to use any other action and CanCan still checks authentication on everything else except show.

Good luck!

UPDATE: Making :role attribute for Users

What I did was run a migration that would add the role column to the Devise users table:

rails generate migration add_role_to_users role:string

And then rake db:migrate. The new migration file should look like this and also check your db/schema.rb file to make sure its apart of the users table correctly. If it isn't then rake db:drop, then rake db:create and then rake db:migrate again.

class AddRoleToUsers < ActiveRecord::Migration
  def self.up
    add_column :users, :role, :string

  def self.down
    remove_column :users, :role

This is how you successfully make the user.role work.

Note: Make sure you leave the line: can :manage, Profile, :user_id => as is with no changes. It should work after adding the role column to user.

IMPORTANT! If you use Rails 3, DO NOT MAKE role attr_accessible or everyone can edit their roles! Rails 4 uses Strong Parameters by default and is not affected by this issue as you can choose the allowed parameters.

Need Your Help

Can not access memory card on HTC ONE V

android videoview android-video-player

I am developing and testing a simple video player example in Android. Code is given below:

jQuery mobile swipe should not work on desktop

html twitter-bootstrap jquery-mobile twitter-bootstrap-3 carousel

I'm using Bootstrap's (3.3.5) Carousel to show a Slider on a page. Code is pretty simple and standard: