我用devise
和cancan
宝石,并有简单的模型关联:user
has_many subscriptions
,subscription
belongs_to :user
。有以下SubscriptionsController
:设计和康康舞宝石:联想的has_many
class SubscriptionsController < ApplicationController
load_and_authorize_resource :user
load_and_authorize_resource :subscription, through: :user
before_filter :authenticate_user!
def index
@subscriptions = @user.subscriptions.paginate(:page => params[:page]).order(:created_at)
end
#other actions
end
而且Cancan
Ability.rb
:
class Ability
include CanCan::Ability
def initialize(user)
user ||=User.new
can [:read], [Edition, Kind]
if user.admin?
can :manage, :all
elsif user.id
can [:read, :create, :destroy, :pay], Subscription, user_id: user.id
can [:delete_from_cart, :add_to_cart, :cart], User, id: user.id
end
end
end
的问题是,我不能使用subscriptions
行动作为一个用户,但可以作为一个管理员。并且与UsersController
没有任何问题。当我从SubscriptionsController
删除以下行:
load_and_authorize_resource :user
load_and_authorize_resource :subscription, through: :user
before_filter :authenticate_user!
根本没有问题。所以这个问题在这几行或者在Ability.rb
。有什么建议么?
UPDATE:有趣的是,如果我添加不便像can? :index, Subscription
到HTML模板它显示true
。如果添加如can? :index, Subscription.first
(订阅另一个用户),则显示false
。看起来像Cancan
正常工作。但是,什么是问题..
UPDATE:如果改变SubscriptionsControlle
像:
class SubscriptionsController < ApplicationController
#load_and_authorize_resource :user
#load_and_authorize_resource :subscription, through: :user
before_filter :authenticate_user!
def show
@user = User.find params[:user_id] #line 1
@subscription = @user.subscriptions.find params[:id] #line 2
@container_items = @subscription.container_items.paginate(:page => params[:page])
authorize! :show, @subscription #line 4
end
#some actions
end
它可以完美运行,防止非授权用户访问时的需要。 是线#1,2和4不等同于评论..
UPDATE:有在routes.rb
如下:
resources :users, except: [:show] do
member do
get 'cart'
delete 'delete_from_cart' => 'users#delete_from_cart'
post 'add_to_cart' => 'users#add_to_cart'
end
resources :subscriptions do
member do
post 'pay'
end
end
end
UPDATE:下一步的解决方案阻止所有未经授权的访问除了index
订阅操作:
class SubscriptionsController < ApplicationController
load_resource :user
load_resource :subscription, through: :user
authorize_resource through: :current_user
before_filter :authenticate_user!
#actions
end
那么什么是防止接入的最佳方式行动?
只发现了以下解决方案:
before_filter :authorize_index, only: [:index]
def authorize_index
raise CanCan::AccessDenied unless params[:user_id] == current_user.id.to_s
end
所以,我可以看到有:'类TasksController:项目 end'。有什么区别? –
tiktak
2012-07-08 16:09:11
您如何期待“load_and_authorize_resource:user”的工作?应该如何授权用户实例? – Roman 2012-07-08 16:12:20
我已经按照我的'routes.rb':'资源:用户,除了:[:秀]做 资源:订阅做 成员做 后“支付” 结束 结束 end' – tiktak 2012-07-08 16:13:39