I have a website where I use declarative authorization to determine who is allowed to do what. One thing that I need to allow is for people to change their own passwords. It’s pretty simple, my model/controller is users. Here’s what I needed to do:


class UsersController < ApplicationController
  filter_access_to :all
  filter_access_to :edit, :update, :attribute_check => true


role :user do
	has_permission_on [:users], to: [:edit, :update] do
		if_attribute :id => is { user.id }

Some of my user accounts are local (where I store the password) and some are on an ldap server, where the password is stored elsewhere. I’m only allowing those people who are local to change their password. And I put the form behind a ‘Profile’ link that I’m showing in the navigation bar. So this is the bit I added to the view to show it only for local_accounts.


<% if current_user.local_account %>

  • <%= link_to "Profile", edit_user_path(current_user.id) %>
  • <% end %>

    controllers/application_controller.rb (holds current_user method)

    def current_user_session
     return @current_user_session if defined?(@current_user_session)
      @current_user_session = UserSession.find
    def current_user
     return @current_user if defined?(@current_user)
      @current_user = current_user_session && current_user_session.record

    I haven’t had to do this because, until recently, all of my users were being cleared off the ldap server. But now, we’re having some cases where I need people not affiliated with my employer needing access to some pages.