Skip to content
dznz edited this page Apr 18, 2012 · 8 revisions

When you define a user's abilities for a given model, you are not restricted to the 7 RESTful actions (create, update, destroy, etc.), you can create your own.

For example, in Role Based Authorization I showed you how to define separate roles for a given user. However, you don't want all users to be able to assign roles, only admins. How do you set these fine-grained controls? Well you need to come up with a new action name. Let's call it assign_roles.

# in models/ability.rb
can :assign_roles, User if user.admin?

We can then check if the user has permission to assign roles when displaying the role checkboxes and assigning them.

<!-- users/_form.html.erb -->
<% if can? :assign_roles, @user %>
  <!-- role checkboxes go here -->
<% end %>
# users_controller.rb
def update
  authorize! :assign_roles, @user if params[:user][:assign_roles]
  # ...
end

Now only admins will be able to assign roles to users.

You may want to check out trusted-params for a convenient way to handle permissions on specific attributes in the controller.