There's a similar question already answered but seems to be a little outdated since it doesn't cover the new CanCan 2.0 version. I need to prevent certain fields (in this case :active and :limited) from being updated by the user and be able to only be edited by an admin.
# ability.rb
if user.persisted?
cannot :update, :users, [:active, :limited]
elsif user.admin?
can :access, :all
end
However this code is not preventing a user from editing those fields.
I also added the enable_authorization to a new class RegistrationsController < Devise::RegistrationsController and devise_for :users, path: 'users', controller: 'registrations' on routes but that doesn't seem to make it either.
