您如何授权访问由 controller 处理的页面,而没有相应的 model 与 Cancancan?
[英]How do you authorize access to a page dealed by a controller without corresponding model with Cancancan?
问题描述
The issue
问题
A Spree admin controller without corresponding model, whose access trial redirect to an other page.没有相应 model 的 Spree 管理员 controller,其访问试用重定向到其他页面。
The corresponding attempt code:对应的尝试代码:
module Spree
module Admin
class TutorialsController < Spree::Admin::BaseController
authorize_resource :class => false
def index
end
end
end
end
And in app/models/spree/ability_decorator.rb the following was added:在app/models/spree/ability_decorator.rb中添加了以下内容:
can :manage, :'tutorial'
can :manage, :'admin/tutorial'
can :manage, :'admin_tutorial'
can :manage, :'spree/admin/tutorial'
can :manage, :'spree_admin_tutorial'
But none of these authorizations will do the trick.但是这些授权都不能解决问题。 Of course adding can:manage, :all at this place will make the page reachable as desired, so this is definitely solution close to that which is needed but less permissive that is looked for here.当然,在这个地方添加can:manage, :all将使页面可以根据需要访问,所以这绝对是接近所需但不那么宽松的解决方案。 Even using skip_authorization_check in the controller won't do the trick, the request will be redirected to admin/products with these corresponding initial logs:即使在 controller 中使用skip_authorization_check也无法解决问题,请求将被重定向到具有这些相应初始日志的admin/products :
Started GET "/admin/tutorials" for 127.0.0.1 at 2020-04-30 17:11:28 +0200
Processing by Spree::Admin::TutorialsController#index as HTML
Spree::Preference Load (2.9ms) SELECT "spree_preferences".* FROM "spree_preferences" WHERE "spree_preferences"."key" = $1 LIMIT $2 [["key", "spree/backend_configuration/locale"], ["LIMI
T", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/bundler/gems/spree_i18n-a03ecad00a1e/lib/spree_i18n/controller_locale_helper.rb:21
Spree::User Load (3.2ms) SELECT "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."id" = $1 ORDER BY "spree_users"."id" ASC LIMIT $2 [["id",
194], ["LIMIT", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Role Load (3.4ms) SELECT "spree_roles".* FROM "spree_roles" INNER JOIN "spree_role_users" ON "spree_roles"."id" = "spree_role_users"."role_id" WHERE "spree_role_users"."user_id" =
$1 [["user_id", 194]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Producer Load (2.6ms) SELECT "spree_producers".* FROM "spree_producers" WHERE "spree_producers"."id" = $1 LIMIT $2 [["id", 16], ["LIMIT", 1]]
↳ app/models/spree/ability_decorator.rb:123
Redirected to http://localhost:5000/forbidden
Completed 302 Found in 80ms (ActiveRecord: 41.4ms)
And after a few other redirections, the request lead to the previously stated path.在进行了几次其他重定向之后,请求会导致前面所述的路径。
Pertaining related resources相关相关资源
- Adding a Controller without corresponding model while using cancancan proposes a solution which unfortunately didn't work in this case. 在使用 cancancan 时添加没有相应 model 的 Controller提出了一个解决方案,不幸的是在这种情况下不起作用。
- How to authorize namespace, model-less controllers using CanCanCan? 如何使用 CanCanCan 授权命名空间、无模型控制器? suggest the use of
skip_authorization_check建议使用skip_authorization_check
1 个解决方案
解决方案1
0 已采纳 2020-05-04 17:08:13
There was no need for special ability after all in this case.在这种情况下,毕竟不需要特殊能力。 The Spree::BaseController sets the correct permissions to grant the aimed access, unlike Spree::Admin::BaseController . Spree::BaseController设置正确的权限以授予目标访问权限,这与Spree::Admin::BaseController 。 To keep the CSS style consistent, an explicit layout statement is required.为了保持 CSS 风格一致,需要明确的layout声明。
module Spree
module Admin
class TutorialsController < Spree::BaseController
layout 'spree/layouts/admin'
def index; end
end
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.