ruby-on-railsruby-on-rails-3cancan

Getting Cancan's load_and_authorize_resource working within a custom create action


Trying to set up Cancan within an app of mine and having trouble with my PostsController.

In a nutshell, when a Post is created I'd like it associated with the current_user so my create action looks something like this:

class PostsController < ApplicationController
  before_filter :login_required, :except => [:index, :show]
  load_and_authorize_resource
  ...
  def create
    # @post = Post.new(params[:post])   # <-- covered by load_and_authorize_resource
    @user = current_user
    @post = @user.posts.create(params[:post])
    respond_to do |format|
    ...
  end
  ...
end

I'm not exactly sure what load_and_authorize_resource is intended to do (other than the obvious). But what about in a situation like this? Do I need to override the load_and_authorize_resource for the create action somehow? or is there another (read: better) way to go about loading the @user and THEN creating the @post?


Solution

  • A simpler solution to your problem would be to use a nested-resource, rather than creating a custom action

    Directly taken from the CanCan Wiki:

    Nested-Resources

    As of 1.4, it's also possible to nest through a method, this is commonly the current_user method.

     class ProjectsController < ApplicationController
       load_and_authorize_resource :through => :current_user
     end 
    

    Here everything will be loaded through the current_user.projects association.

    This should be safer as well, as loading of a post will be done through the association for other actions in your controller