I'm using Devise and CanCan for user authentication and administrating roles restricting access to parts of my Rails 4 app for certain users.
I've run into some problems with updating a user. The update works fine and the user object in the db get updated as it should, but my user session is lost on the following redirect_to my user show action. current_user becomes nil which means that CanCan restricts the access to the user show action.
Why does current_user become nil after update, when this does not happen on other actions (e.g create, destroy etc.)?
These are the devise settings in my user model:
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable, :authentication_keys => [:login]
This is my users_controller.rb's update method:
class UsersController < ApplicationController
load_and_authorize_resource
before_filter :authenticate_user!
def update
@user = User.find(params[:id])
if params[:user][:password].blank?
params[:user].delete(:password)
end
respond_to do |format|
if @user.update_attributes(user_params)
format.html { redirect_to user_path, :notice => 'User was successfully updated.' }
format.json { head :ok }
else
format.html { render :action => "edit" }
format.json { render :json => @user.errors, :status => :unprocessable_entity }
end
end
end
end
And this is my ability.rb file:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if defined?(user.role_id)
if user.role? :admin, user.role_id
can :manage, :all
elsif user.role? :hauler, user.role_id
can :manage, [User,Trip,Invoice], user_id: user.id.to_s
else
can :create, :Trip
end
end
end
end
It depends on the update being performed. Sessions are serialized with certain bits of user data.
For instance updating the password will cause a session to be nullified because the encrypted password is part of the serialized hash, and if that is changed, the session can no longer reference the original encrypted password.