Cancan restricting access to users when it shouldn't (Ruby on Rails)

Question

I'm having problems with allowing admin users only to see and edit the users he created. I have a tiered system: SuperUser > Admin > other users My SuperUser can edit all users, but my Admin user can only edit himself. To try to fix this, I have a creator_id parameter that gives a creator_id to the new user that matches the id of the current user.

My controller for users:

class UsersController < ApplicationController
  #CanCan resource will generate a 500 error if unauthorized
  load_and_authorize_resource :user
  # GET /users
  # GET /users.json
  def index
    @users = User.all

    respond_to do |format|
      format.html # index.html.erb
      format.json { render json: @users }
    end
  end

  # GET /users/1
  # GET /users/1.json
  def show
    @user = User.find(params[:id])

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @user }
    end
  end

  # GET /users/new
  # GET /users/new.json
  def new
    @user = User.new

    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @user }
    end
  end

  # GET /users/1/edit
  def edit
    @user = User.find(params[:id])
    #User.find(session[:user])
  end

  # POST /users
  # POST /users.json
  def create
    @user = User.new(params[:user])
    @user.creator = current_user

    respond_to do |format|
      if @user.save
        format.html { redirect_to @user, notice: 'Registration successful.' }
        format.json { render json: @user, status: :created, location: @user }
      else
        format.html { render action: "new" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # PUT /users/1
  # PUT /users/1.json
  def update
    @user = User.find(params[:id])
    #@user = current_user

    respond_to do |format|
      if @user.update_attributes(params[:user])
        format.html { redirect_to @user, notice: 'Successfully updated profile.' }
        format.json { head :no_content }
      else
        format.html { render action: "edit" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /users/1
  # DELETE /users/1.json
  def destroy
    @user = User.find(params[:id])
    @user.destroy

    respond_to do |format|
      format.html { redirect_to users_url }
      format.json { head :no_content }
    end
  end
end

and my ability.rb file:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new  #Guest user w/o account

    #Permissions on what pages can be seen by which users, and what
    #Users can do with those pages
    if user.status == "Super User" 
      can :manage, :all
    elsif user.status == "Admin"
      can :manage, Book             
      can [:create,:new], User      
      can [:show, :update], User, :id => user.id 
      can :manage, User, :creator_id => user.id
    end
  end
end

I did check the database, and it correctly assigns the current user's id to the creator_id of the new user. I'm just stuck. Cancan keeps denying the permission of updating those users and I'm not sure why. Any help is appreciated!

EDIT

My user model:

 class User < ActiveRecord::Base has_many :books has_many :listings has_many :orders belongs_to :organizations belongs_to :creator, class_name: 'User' attr_accessible :password, :email, :first_name, :last_name, :password_confirmation, :status, :username acts_as_authentic validates :first_name, :presence => true validates :last_name, :presence => true validates :username, :presence => true, :uniqueness => true validates :email, :presence => true, :uniqueness => true validates :status, :presence => true end 

Answer 1

Okay just reading your question again it looks like you want an administrator to have authoritative access to manage a user. In this case you could define something fairly similar in your application_controller

def correct_user
    if !params[:id].nil?
      @user.User.find_by_id(params[:id])
      if current_user.status :admin
        else
        access_denied unless current_user?(@user)
      end
    end
  end

What this does is allows an administrator to have access to all users accounts and if the user is not an administrator then they are denied access. You can enable this feature using the before_filter in your controllers so that you could do something like before_filter :correct_user, :only => [:edit, :show] this means that only the correct user can have access to these actions. So should you have a UserController like the following maybe:

class UsersController < ApplicationController
  load_and_authorize_resource
  before_filter :correct_user, :only => [:edit, :show]
  ..
  ....
   .....
end 

This example shows that as a correct user or an admin will have access to edit and show actions.

Answer 2

Try this.

def initialize(user)
  user ||= User.new

  if user.super_user?
    can :manage, :all
  elsif user.admin?
    can [:create, :new], User
    can [:show, :edit, :update], User do |usr|
      id == usr.id
    end
    can :manage, User do |usr|
      usr.creator_id == usr.id
    end
  end
end

In user model, add methods:

def has_status?(given_status)
  status == given_status
end

def admin?
  has_status? 'Admin'
end

def super_user?
  has_status? 'Super User'
end