Rails 3 ActiveAdmin CanCan. How to setup that User should only see records that belong to him?

Asked 20/1, 2012 at 0:26 Answered 15/7, 2013 at 8:6

I setup admin_users that belongs to a customer class (Customer is a company). So Customer has many admin_users.

I'm trying to restrict access to Shipment records that belongs to a certain customer. I don't want customers watching other customers data. So I set this up but it seems to do nothing...

class Ability include CanCan::Ability

  def initialize(user)
    user ||= AdminUser.new       
    if user.role == "administrator"
        can :manage, :all
    else
      cannot :create, :all
      cannot :update, :all
      cannot :destroy, :all
      can :read, Shipment do |shipment|
        shipment.customer == user.customer
      end
    end
  end 
end

And I do have this in shipments.rb ...

ActiveAdmin.register Shipment do
  menu :if => proc{ can?(:read, Shipment) }, :priority => 1
  controller.authorize_resource

  index do
    column "File #", :sortable => :file_number do |shipment|
      link_to shipment.file_number, admin_shipment_path(shipment)
    end
    [... more columns ...]
    default_actions if can? :manage, Shipment
  end

  show :title => :file_number do
  panel "Shipment Details" do
  attributes_table_for shipment do
    row("File number") {shipment.file_number}
    row("Mode") {shipment.mode}
    row("Ocean Rate") { number_to_currency shipment.ocean_rate}
    row("Customer") { link_to shipment.customer.company_name, admin_customer_path(shipment.customer)}
    row("Shipper") { link_to shipment.shipper.company_name, admin_shipper_path(shipment.shipper)}
    row("Broker") { link_to shipment.broker.company_name, admin_broker_path(shipment.broker)}
  end
end

[...more show action stuff...]

So in the index page, all shipments get displayed and if I'm logged in as Customer A and click on Customer B's shipment I can see it, but it's supposed to block me.

More info...

shipments_controller.rb
class ShipmentsController < InheritedResources::Base
  before_filter :authenticate_admin_user!
end

Atrocity answered 20/1, 2012 at 0:26 Comment(0)

Active Admin has a built in method for handling scopes. See here: http://activeadmin.info/docs/2-resource-customization.html#scoping_the_queries

Leeann answered 30/4, 2012 at 5:20 Comment(0)

I had a similar problem in my app. I had super_users and admins where the admins could only see other admins in their organization.

app/models/ability.rb

if user.organization_admin?
  can :manage, User, :organization_id => user.organization_id
end

app/admin/users.rb

controller do load_and_authorize_resource :except => :index
  def scoped_collection
    end_of_association_chain.accessible_by(current_ability)
  end
end

Kavanaugh answered 3/4, 2012 at 13:48 Comment(0)

I don't know why it's not working, but can? :read, Shipment will not look up the permissions for can :read, Shipment do |shipment| ....

To validate against this permission you would have to specify a specific instance of a Shipment, like this can :read, @shipment.

You'll need to find a way to get the instance of the accessed shipment before your menu :if => ... line is called.

Did you try using controller.load_and_authorize_resource instead of only authorize_resource?

Breeze answered 20/1, 2012 at 15:16 Comment(5)

Tried this according to the docs and doesn't work either because any user can see any shipments can :show, Shipment, :customer_id => user.customer_id github.com/ryanb/cancan/wiki/defining-abilities – Atrocity 20/1, 2012 at 16:7

Your permission definition is fine, it's your menu :if => ... thing that isn't working, maybe you could give us more context on how it's used in the shipments.rb file (are you sure it's not in shipments_controller.rb?). – Breeze 20/1, 2012 at 16:17

I added more info in the question. What the menu :id => line does is just hide or show the menu if the user should have access to it, I don't think that's the problem. So I get all of the records listed, if I click on one of the records that the user is NOT supposed to see, it still gets displayed and I expect CanCan to tell me Access Denied. – Atrocity 20/1, 2012 at 16:30

If the permission definition is fine, then that means that the controller.authorize_resource is not being read for the index nor show actions. – Atrocity 20/1, 2012 at 16:41

@Atrocity yes, it seems so. It seems like there are some issues getting CanCan to play nice with ActiveAdmin. – Breeze 20/1, 2012 at 16:42

Use an scoped collection and run a query that depends on the current signed in user

ActiveAdmin.register Shipment do
  controller do
    def scoped_collection
      my_scope = resource_class.unscoped
      return my_scope if current_admin_user.role == "administrator" # return everything
      my_scope.where(customer_id: current_admin_user.customer_id) # filter by signed in user
    end
  end
end

Yuletide answered 15/7, 2013 at 8:6 Comment(0)

Recommended topics

Hot tags