Currently, the create? method checks only if user is present, but this behavior permits that another authenticated user can creates records to another user.
- You check if this bevahior happens
- Improve method to only permits that the user who is creating a record be the owner of this record and the user can't create record to other user.
Help: https://github.com/varvet/pundit
Currently, the
create?method checks only if user is present, but this behavior permits that another authenticated user can creates records to another user.Help: https://github.com/varvet/pundit