Using Rails 4.2.4 with Devise (3.5.2) and Pundit (1.0.1). Decent_exposure (2.3.2).
I have a simple nested associaton for User and Idea:
class User < ActiveRecord::Base
has_many :ideas
...
class Idea < ActiveRecord::Base
belongs_to :user
...
In routes.rb
devise_for :users
resources :users do
resources :ideas
end
Then I am simply trying to disallow access to users/1/ideas if current_user is not the owner of the Ideas (in this example, if current_user.id != 1). I can not figure out how to do it. I am able to show just the current_user Ideas in the Index view with:
[Ideas controller]
def show
authorize idea
end
[Idea policy]
def show?
@current_user == @idea.user
end
But how can I prevent a user to simply navigate to other user's Idea index page? I guess that in Ideas controller I should use something like:
def index
authorize user
end
But then what? How can I send to the User Policy the info regarding the Idea collection? Or should I authorize via the Idea Policy itself?