Using Devise in Rails4, how to allow users to only the edit their own comments?

Question

I'm confused with how to use Devise's current_user helper in my views and controllers. Do I need to do a migration to add user_id in my database tables? Do I need to do something with the sessions controller?

Here is my routes file:

 devise_for :users

  resources :groups, shallow: true do
      resources :ideas do
           resources :comments
      end
  end 

Sign in / sign up etc. is working fine. I would like to allow users to edit only the ideas and comments, that they created.

Do I need to add in my applications controller a helper method, for example:

  def current_user
    @current_user ||= User.find(session[:user_id]) if session[:user_id]
  end

  helper_method :current_user

Then, in theory, I should be able to do the following?

   <% if current_user %>
       <%= link_to 'Edit', edit_idea_path(@idea) %>
   <% end %>

And then I also need to I guess update my controller edit action with current_user? Eg ?

    @comment = current_user.comment.find(params[:id])

Answer 1

i think what you are trying to do is:

  <% if current_user.id == @idea.user.id %>
       <%= link_to 'Edit', edit_idea_path(@idea) %>
  <% end %>

Answer 2

<% if current_user.id == @idea.user.id %>
   <%= link_to 'Edit', edit_idea_path(@idea) %>
<% end %>

Would kinda work, but it is about as secure as an unlocked door. It doesn't explicitly prevent a user from going to /idea/5/edit and making those changes (even if they didn't create/own idea 5). As mentioned above: either use CanCan or roll your own solution in the controller on the :update method.