I am setting up admin_users, which belongs to the client class (Client is company). Thus, the client has many administrators.
I am trying to restrict access to records that belong to a specific client. I donβt want customers to view other customersβs data. So I installed this, but it seems to do nothing ...
Class Ability to Enable CanCan :: Ability
def initialize(user) user ||= AdminUser.new if user.role == "administrator" can :manage, :all else cannot :create, :all cannot :update, :all cannot :destroy, :all can :read, Shipment do |shipment| shipment.customer == user.customer end end end end
And I have it in shipments.rb ...
ActiveAdmin.register Shipment do menu :if => proc{ can?(:read, Shipment) }, :priority => 1 controller.authorize_resource index do column "File #", :sortable => :file_number do |shipment| link_to shipment.file_number, admin_shipment_path(shipment) end [... more columns ...] default_actions if can? :manage, Shipment end show :title => :file_number do panel "Shipment Details" do attributes_table_for shipment do row("File number") {shipment.file_number} row("Mode") {shipment.mode} row("Ocean Rate") { number_to_currency shipment.ocean_rate} row("Customer") { link_to shipment.customer.company_name, admin_customer_path(shipment.customer)} row("Shipper") { link_to shipment.shipper.company_name, admin_shipper_path(shipment.shipper)} row("Broker") { link_to shipment.broker.company_name, admin_broker_path(shipment.broker)} end end [...more show action stuff...]
Thus, all the items are displayed on the index page, and if I am registered as client A and clicked on sending client B, I can see it, but it should block me.
More details ...
shipments_controller.rb class ShipmentsController < InheritedResources::Base before_filter :authenticate_admin_user! end