Closed noorhammad closed 8 years ago
Solved my own problem, you have to pass an instance to authorize!
Working code (Project controller):
def edit
authorize! :edit, @project
Notice @project not Project.
can can [:new, :create, :edit, :update, :destroy], Project
this also looks invalid, notice two can
s
@pokonski just a typo here, wasn't in my code thankfully :+1:
Cool :dancer:
This seems like rather bad defaults, if there is no explicit policy for authorize! :edit, Project
then it should throw an error and certainly not simply pass it otherwise it leaves holes in the authorization.
This is my policy
In Project controller:
There is no restriction, my editor role is able to edit any project whether project.user_id matches user.id or not.