Cancan + Devise => User Edit leads to wrong session

[ishouvik]

I have CanCan and Devise on my Rails 4.1 app and everything works great except for one thing.

I have defined a role :admin that basically can :manage :all including profiles of other users. After using CanCan, whenever the admin user edits someone else's profile, the session is changed to that other profile i.e. if admin updates the profile of a user test1, after the update admin is logged in as test1.

I am not sure what causes this unintended session hijack and how to prevent that. Any help regarding this issue will be greatly appreciated.

Regards, Shouvik

[xhoy]

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!