Cancancan嵌套资源授权

Question

I have a working ability defined as below:

routes.rb

resources :projects do
  resources :tasks
end

ability.rb

can [:manage], Project, invites: {supplier: {:user_id => user.id}}
can [:new, :create], Task
can [:update, :show, :destroy, :edit], Task, user_id: user.id

Tasks Controller:

load_and_authorize_resource :project
load_and_authorize_resource :task, :through => :project

This properly lets the user create a task, if they are invited to a project.

However, I don't want the user to be able to :manage the project. I just need the user to be able to index the project as below.

ability.rb

can [:index], Project, invites: {supplier: {:user_id => user.id}} ## breaks when changing :manage to :index here
can [:new, :create], Task
can [:update, :show, :destroy, :edit, :index], Task, user_id: user.id

When I put in the the abilities above, the user can no longer access or perform any actions on the task. How do I create a task ability through the project, with only giving an :index ability to the project?

Answer 1

You should probably define that a user can read a Project when invited. Therefore:

a user can read a project if is invited ( I guess the condition invites: { supplier: { user: user} } defines an invited user )

can :read, Project, invites: { supplier: { user: user} }

then you have to say that a user can create Tasks for projects to which he got invited, then:

can [:new, :create], Task, project: { invites: { supplier: { user: user} } }

in the end you define that the user can manage his own tasks on projects he his invited to:

can :manage, Task, user: user, project: { invites: { supplier: { user: user} } }

You can also simplify the conditions by extracting

invited_to = { invites: { supplier: { user: user} } }
can :read, Project, invited_to
can [:new, :create], Task, project: invited_to
can :manage, Task, user: user, project: invited_to