[英]How do you authorize access to a page dealed by a controller without corresponding model with Cancancan?
A Spree admin controller without corresponding model, whose access trial redirect to an other page.没有相应 model 的 Spree 管理员 controller,其访问试用重定向到其他页面。
The corresponding attempt code:对应的尝试代码:
module Spree
module Admin
class TutorialsController < Spree::Admin::BaseController
authorize_resource :class => false
def index
end
end
end
end
And in app/models/spree/ability_decorator.rb
the following was added:在
app/models/spree/ability_decorator.rb
中添加了以下内容:
can :manage, :'tutorial'
can :manage, :'admin/tutorial'
can :manage, :'admin_tutorial'
can :manage, :'spree/admin/tutorial'
can :manage, :'spree_admin_tutorial'
But none of these authorizations will do the trick.但是这些授权都不能解决问题。 Of course adding
can:manage, :all
at this place will make the page reachable as desired, so this is definitely solution close to that which is needed but less permissive that is looked for here.当然,在这个地方添加
can:manage, :all
将使页面可以根据需要访问,所以这绝对是接近所需但不那么宽松的解决方案。 Even using skip_authorization_check
in the controller won't do the trick, the request will be redirected to admin/products
with these corresponding initial logs:即使在 controller 中使用
skip_authorization_check
也无法解决问题,请求将被重定向到具有这些相应初始日志的admin/products
:
Started GET "/admin/tutorials" for 127.0.0.1 at 2020-04-30 17:11:28 +0200
Processing by Spree::Admin::TutorialsController#index as HTML
Spree::Preference Load (2.9ms) SELECT "spree_preferences".* FROM "spree_preferences" WHERE "spree_preferences"."key" = $1 LIMIT $2 [["key", "spree/backend_configuration/locale"], ["LIMI
T", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/bundler/gems/spree_i18n-a03ecad00a1e/lib/spree_i18n/controller_locale_helper.rb:21
Spree::User Load (3.2ms) SELECT "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."id" = $1 ORDER BY "spree_users"."id" ASC LIMIT $2 [["id",
194], ["LIMIT", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Role Load (3.4ms) SELECT "spree_roles".* FROM "spree_roles" INNER JOIN "spree_role_users" ON "spree_roles"."id" = "spree_role_users"."role_id" WHERE "spree_role_users"."user_id" =
$1 [["user_id", 194]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Producer Load (2.6ms) SELECT "spree_producers".* FROM "spree_producers" WHERE "spree_producers"."id" = $1 LIMIT $2 [["id", 16], ["LIMIT", 1]]
↳ app/models/spree/ability_decorator.rb:123
Redirected to http://localhost:5000/forbidden
Completed 302 Found in 80ms (ActiveRecord: 41.4ms)
And after a few other redirections, the request lead to the previously stated path.在进行了几次其他重定向之后,请求会导致前面所述的路径。
skip_authorization_check
skip_authorization_check
There was no need for special ability after all in this case.在这种情况下,毕竟不需要特殊能力。 The
Spree::BaseController
sets the correct permissions to grant the aimed access, unlike Spree::Admin::BaseController
. Spree::BaseController
设置正确的权限以授予目标访问权限,这与Spree::Admin::BaseController
。 To keep the CSS style consistent, an explicit layout
statement is required.为了保持 CSS 风格一致,需要明确的
layout
声明。
module Spree
module Admin
class TutorialsController < Spree::BaseController
layout 'spree/layouts/admin'
def index; end
end
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.