So this is the authorization code I wrote based on Railscast #386.
The problem is that the block works on all controllers except for
user_controller. In other words, any user can triger
update actions on any other user, even though the block given to it is the same as that of favors
def initialize(user) allow :users, [:new, :create, :show] allow :sessions, [:new, :create, :destroy] allow :favors, [:index, :show] if user allow :users, [:edit, :update] do |usr| usr.id == user.id end allow :favors, [:new, :create] allow :favors, [:edit, :update] do |favor| favor.user_id == user.id end allow :acceptances, [:create, :update] do |acceptance| !acceptance.has_accepted_acceptance? end end end
Any help is highly appreciated :)