Rails and Sorcery gem and user permissions on content editing
Question
I am experimenting with sorcery and rails 4 and I am struggling to understand what is the way to prevent users from editing or destroying content which does not belong to them. Say, I have a blog post and somewhere a panel which is like
<% if current_user? %>
<ul>
<li><%= link_to "edit", edit_post_path %></li>
<li><%= link_to "destroy", @post, method: :delete %></li>
</ul>
<% end %>
Of course users who are logged out can't see these controls, but whoever's logged in can delete or edit the post freely.
1 answers
solution1
3 ACCPTED 2013-10-17 15:16:04
Sorcery is for "authentication", but the problem you faced is "authorization". These two are different concepts.
"authentication" is to identify who this user is, but it can't make judgement what he can do.
"authorization" can do nothing without "authenticaton", but it's job is different. It can judge if this user can do something.
So your problem falls into the area of "authorization", this is not Sorcery's job.
Instead you can use CanCan or other gem for authority.
Sample code
def user
# Can delete and edit his own post
can :manage, Post, :user_id => user.id
end
You can check CanCan for details: https://github.com/ryanb/cancan
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.