I have an app for managing restaurants where each restaurant has a dashboard(a mini control panel to change some settings if you are allowed to). I noticed that even though I have defined some abilities, any user can access any restaurant's dashboard. Basicly, I would like users to have access only if they have a position at the restaurant. Currently, the ability.rb looks like this
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
if user.admin?
can :manage, :all
else
user.roles.each do |role|
role.permissions.each do |permission|
can permission.action.to_sym, permission.subject_class.constantize, restaurant_id: role.restaurant_id
can permission.action.to_sym, permission.subject_class.constantize, id: role.restaurant_id if permission.subject_class == "Restaurant"
end
end
can :read, Restaurant
can :read, Product
can :read, Category
end
end
end
The controllers folder has a folder 'dashboard' where the restricted controllers are and the routes look like this
namespace :dashboard do
resources :restaurants, except: [:index, :destroy] do
resources :products
resources :categories
resources :roles
resources :positions
resources :tables
resources :reservations
end
end
I searched in the cancan documentation for this but I could not find anything that could help me. Thank you for any suggestions on how to fix that!