Better authentication

app/controllers/users_controller.rb

@@ -23,22 +23,13 @@
 class UsersController < ApplicationController
   load_and_authorize_resource
   before_action :init, only: :show
-  skip_load_and_authorize_resource :only => :show
 
   def show
-    # TODO fix this with `authorize!`
-    if params[:id] && (@user.name != params[:id] && !@user.admin?)
-      respond_to do |format|
-        format.json { render json: ["Mind your own business"] }
-        format.html { redirect_to root_url }
-      end
-    else
       respond_to do |format|
         format.json { render json: @user }
         format.html {}
       end
   end
-  end
 
   def update
     if user_params.empty?

app/models/ability.rb

@@ -24,6 +24,9 @@ class Ability
 
   def initialize_user(user)
     can :read, :all
+    cannot :read, User do |otheruser|
+        otheruser != user && !user.admin? && !user.koelkast
+    end
     can :manage, User, id: user.id
     can :create, Order do |order|
       order.user == user && user.try(:balance).try(:>, -500)

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20190408122720) do
+ActiveRecord::Schema.define(version: 20190415182036) do
 
   create_table "barcodes", force: :cascade do |t|
     t.integer  "product_id"
@@ -87,6 +87,7 @@ ActiveRecord::Schema.define(version: 20190408122720) do
     t.boolean  "private",             default: false
     t.integer  "frecency",            default: 0,     null: false
     t.boolean  "quickpay_hidden",     default: false
+    t.string   "key"
     t.string   "userkey"
   end