Issues with CanCan authorization - Author edits Post

Issues with CanCan authorization - Author edits Post

I'm working on a Rails app, authorization using CanCan. The app has the db
models User and PositionGameStat. The PositionGameStat has a foreign key
of user_id. The index page for position_game_stat shows a list of Stats
that the user has submitted, each one with an edit button. Currently it is
vulnerable to injection (... /position_game_stats/130/edit)
I would like the user to only be able to edit position_game_stat entries
equal to current user.
In other words if someone tried to inject into the url
.../position_game_stats/129/edit and they did not enter those stats, it
would be denied access by CanCan
Below is my code.
My Code: app/controllers/position_game_stats_controller.rb
class PositionGameStatsController < ApplicationController
before_filter :authenticate_user!
...
def edit
authorize! :manage, @position_game_stat
@position_game_stat = PositionGameStat.find(params[:id])
end
...
end
app/models/ability.rb
class Ability
include CanCan::Ability
def initialize(user)
can :show, User, :id => user.id
can :manage, PositionGameStat do |t|
t.user_id == user.id
end
end
end
Any suggestions are well appreciated.