ryanb
Grant access to manage an object a user doesn't own...
I currently have CanCan implemented in such a way that a user can only manage their own items. Now I need the ability for users to grant permissions to manage objects they own to other users in the system.
I'm not sure how to go about this?
I have tried creating a scope to cover any user that is party to the contract..
Then I setup my Ability as such... can :read, Contract.parties(user.id)
My scope is defined as... scope :parties, lambda { |user_id| joins(:offer).where("seller_id = ? OR buyer_id = ?", user_id, user_id) }
The log is showing that the query is executed successfully, and a record is returned. However, it still redirects me and tells me I am not authorized.
I've also tried...
belongs_to :offer has_one :seller, (...)
can :read, Contract, buyer_id: user.id
can :read, Contract, { seller: { id: user.id } }
and
can :read, Contract, buyer_id: user.id
can :read, Contract, { offer: { seller_id: user.id } }
But these through errors.
I thought it might be related to the has_one vs belongs_to. However, that has proven to be a false theory. I am still struggling to find a solution to this problem.
Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.
CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.
If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.
We hope to see you on the other side!
