{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《How do I restrict the currently logged in user to》','https://www.manongdao.com/q-1009826.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
If a user is logged in with a specific role - vendor - they should only see items that they have created in their store. They should not be able to see products from other vendors.
So I am trying to do this in my authorization (using Devise, CanCan, Rolify).
I tried this:
user ||= User.new # guest user (not logged in)
if user.has_role? :vendor
can :dashboard
can :manage, [Product, Vendor], :vendor_id => user.id
can :view, [Product], :vendor_id => user.id
end
But....haven't had much luck with that...what am I missing?
Edit 1
I know that I can restrict the products in the controller like:
@product = current_user.products
But that's not what I am looking for. In this case, a vendor (i.e. user with role :vendor) should only be able to see products they added to the store, but they shouldn't be able to see products that other vendors add. However, a buyer (i.e. a user with role :buyer) should be able to see all the products from all buyers (as will an admin/etc). A buyer won't be able to see the prices, and some other attributes on some of the products, etc.
How can I achieve all of that?
In the controller you can only find the products belonging to that user.
Same applies to edit and update action. Cancan in this case is not required.