1. 首页
  2. 问答
  3. 设计和康康舞宝石:联想的has_many

设计和康康舞宝石:联想的has_many

2012-07-08 42 views
1

我用devisecancan宝石,并有简单的模型关联:userhas_many subscriptionssubscriptionbelongs_to :user。有以下SubscriptionsController设计和康康舞宝石:联想的has_many

class SubscriptionsController < ApplicationController 

    load_and_authorize_resource :user 
    load_and_authorize_resource :subscription, through: :user 

    before_filter :authenticate_user! 

    def index 
    @subscriptions = @user.subscriptions.paginate(:page => params[:page]).order(:created_at) 
    end 

    #other actions 
end

而且CancanAbility.rb

class Ability 
    include CanCan::Ability 

    def initialize(user) 

    user ||=User.new 

    can [:read], [Edition, Kind] 

    if user.admin? 
     can :manage, :all 
    elsif user.id 
     can [:read, :create, :destroy, :pay], Subscription, user_id: user.id 
     can [:delete_from_cart, :add_to_cart, :cart], User, id: user.id 
    end 

    end 

end

的问题是,我不能使用subscriptions行动作为一个用户,但可以作为一个管理员。并且与UsersController没有任何问题。当我从SubscriptionsController删除以下行:

load_and_authorize_resource :user 
    load_and_authorize_resource :subscription, through: :user 

    before_filter :authenticate_user!

根本没有问题。所以这个问题在这几行或者在Ability.rb。有什么建议么?

UPDATE:有趣的是,如果我添加不便像can? :index, Subscription到HTML模板它显示true。如果添加如can? :index, Subscription.first(订阅另一个用户),则显示false。看起来像Cancan正常工作。但是,什么是问题..

UPDATE:如果改变SubscriptionsControlle像:

class SubscriptionsController < ApplicationController 

    #load_and_authorize_resource :user 
    #load_and_authorize_resource :subscription, through: :user 

    before_filter :authenticate_user! 

    def show 
    @user = User.find params[:user_id] #line 1 
    @subscription = @user.subscriptions.find params[:id] #line 2 
    @container_items = @subscription.container_items.paginate(:page => params[:page]) 
    authorize! :show, @subscription #line 4 
    end 

    #some actions 
end

它可以完美运行,防止非授权用户访问时的需要。 是线#1,2和4不等同于评论..

UPDATE:有在routes.rb如下:

resources :users, except: [:show] do 
    member do 
     get 'cart' 
     delete 'delete_from_cart' => 'users#delete_from_cart' 
     post 'add_to_cart' => 'users#add_to_cart' 
    end 
    resources :subscriptions do 
     member do 
     post 'pay' 
     end 
    end 
    end

UPDATE:下一步的解决方案阻止所有未经授权的访问除了index订阅操作:

class SubscriptionsController < ApplicationController 

    load_resource :user 
    load_resource :subscription, through: :user 
    authorize_resource through: :current_user 

    before_filter :authenticate_user! 

    #actions 
end

那么什么是防止接入的最佳方式行动?

只发现了以下解决方案:

before_filter :authorize_index, only: [:index] 

    def authorize_index 
    raise CanCan::AccessDenied unless params[:user_id] == current_user.id.to_s 
    end

来源

2012-07-08 tiktak

回答

1

应该

load_and_authorize_resource :subscription

或只是

load_and_authorize_resource
你的情况

,当你想嵌套的资源,然后

load_and_authorize_resource :through => :current_user

https://github.com/ryanb/cancan/wiki/Nested-Resources

来源

2012-07-08 16:07:03 Roman

+0

所以,我可以看到有:'类TasksController :项目 end'。有什么区别? – tiktak 2012-07-08 16:09:11

+0

您如何期待“load_and_authorize_resource:user”的工作?应该如何授权用户实例? – Roman 2012-07-08 16:12:20

+0

我已经按照我的'routes.rb':'资源:用户,除了:[:秀]做 资源:订阅做 成员做 后“支付” 结束 结束 end' – tiktak 2012-07-08 16:13:39

相关问题

 相关问题