set_permission(:my_account).
  with_controller(:users).
   only_methods(:show, :update).
  to_model(:user).
    where(:id).
    equals(:current_user_id)

This creates a permission called :my_account that represents the :show and :update methods on the users controller. There is an additional restriction to this permission though. Even if the user has the my_account permission, he/she must still match the model level restriction which (from the above) states:

@user.id == current_user_id

Note:

1. Lockdown will instantiate the instance variable @user if it doesn’t exist.
2. current_user_id must be available in the controller scope.

For greater flexibility, Lockdown also offers an includes matcher.

set_permission(:manage_timesheet).
  with_controller(:timesheets).
    only_methods(:show, :update).
  to_model(:timesheet).
    where(:editor_ids).
    includes(:current_user_id)

This creates a :manage_timesheet permission represented by the :show and :update methods on the timesheets controller. The model restrictions here require:

@timesheet.editor_ids.include?(current_user_id)

Note:

1. Lockdown will instantiate the instance variable @timesheet if it doesn’t exist.
2. current_user_id must be available in the controller scope.
3. editor_ids must return an Array to use the include? method.

Param option

By default, Lockdown will use params[:id] to instantiate the model. You can change this by passing in a second argument to the to_model call as such:

set_permission(:manage_timesheet).
  with_controller(:timesheets).
    only_methods(:show, :update).
  to_model(:timesheet, :timesheet_id).
    where(:editor_ids).
    includes(:current_user_id)

This will execute the following (if the instance variable does not exist):

@timesheet = Timesheet.find(params[:timesheet_id])