[英]Cancan restricting access to users when it shouldn't (Ruby on Rails)
我在僅允許管理員用戶查看和編輯他創建的用戶時遇到問題。 我有一個分層系統:SuperUser> Admin>其他用戶My SuperUser可以編輯所有用戶,但是Admin用戶只能編輯自己。 為了解決這個問題,我有一個creator_id參數,它為與當前用戶ID相匹配的新用戶提供了creator_id。
我的用戶控制器:
class UsersController < ApplicationController
#CanCan resource will generate a 500 error if unauthorized
load_and_authorize_resource :user
# GET /users
# GET /users.json
def index
@users = User.all
respond_to do |format|
format.html # index.html.erb
format.json { render json: @users }
end
end
# GET /users/1
# GET /users/1.json
def show
@user = User.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.json { render json: @user }
end
end
# GET /users/new
# GET /users/new.json
def new
@user = User.new
respond_to do |format|
format.html # new.html.erb
format.json { render json: @user }
end
end
# GET /users/1/edit
def edit
@user = User.find(params[:id])
#User.find(session[:user])
end
# POST /users
# POST /users.json
def create
@user = User.new(params[:user])
@user.creator = current_user
respond_to do |format|
if @user.save
format.html { redirect_to @user, notice: 'Registration successful.' }
format.json { render json: @user, status: :created, location: @user }
else
format.html { render action: "new" }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# PUT /users/1
# PUT /users/1.json
def update
@user = User.find(params[:id])
#@user = current_user
respond_to do |format|
if @user.update_attributes(params[:user])
format.html { redirect_to @user, notice: 'Successfully updated profile.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
@user = User.find(params[:id])
@user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
end
和我的capability.rb文件:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new #Guest user w/o account
#Permissions on what pages can be seen by which users, and what
#Users can do with those pages
if user.status == "Super User"
can :manage, :all
elsif user.status == "Admin"
can :manage, Book
can [:create,:new], User
can [:show, :update], User, :id => user.id
can :manage, User, :creator_id => user.id
end
end
end
我確實檢查了數據庫,它正確地將當前用戶的ID分配給新用戶的creator_id。 我只是被困住了。 Cancan一直拒絕更新這些用戶的權限,但我不確定為什么。 任何幫助表示贊賞!
編輯我的用戶模型:
class User < ActiveRecord::Base has_many :books has_many :listings has_many :orders belongs_to :organizations belongs_to :creator, class_name: 'User' attr_accessible :password, :email, :first_name, :last_name, :password_confirmation, :status, :username acts_as_authentic validates :first_name, :presence => true validates :last_name, :presence => true validates :username, :presence => true, :uniqueness => true validates :email, :presence => true, :uniqueness => true validates :status, :presence => true end
好吧,只要再次閱讀您的問題,就好像您希望管理員具有管理用戶的權威權限。 在這種情況下,您可以在application_controller
定義類似的內容
def correct_user
if !params[:id].nil?
@user.User.find_by_id(params[:id])
if current_user.status :admin
else
access_denied unless current_user?(@user)
end
end
end
這樣做是允許管理員訪問所有用戶帳戶,如果該用戶不是管理員,則將拒絕他們訪問。 您可以在控制器中使用before_filter
啟用此功能,以便可以執行諸如before_filter :correct_user, :only => [:edit, :show]
這意味着只有正確的用戶才能訪問這些操作。 因此,您應該擁有一個類似於以下內容的UserController
:
class UsersController < ApplicationController
load_and_authorize_resource
before_filter :correct_user, :only => [:edit, :show]
..
....
.....
end
此示例表明,作為正確的用戶或管理員,可以訪問編輯和顯示操作。
Try this.
def initialize(user)
user ||= User.new
if user.super_user?
can :manage, :all
elsif user.admin?
can [:create, :new], User
can [:show, :edit, :update], User do |usr|
id == usr.id
end
can :manage, User do |usr|
usr.creator_id == usr.id
end
end
end
In user model, add methods:
def has_status?(given_status)
status == given_status
end
def admin?
has_status? 'Admin'
end
def super_user?
has_status? 'Super User'
end
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.