堆棧內存溢出
  簡體   English   中英

CANCANCAN擁有數據的權限

[英]CANCANCAN Permission to own data

 原文  2016-01-02 12:37:50       ruby-on-rails/ cancancan

問題描述

請問一個問題!

我不知道如何只授予用戶僅更新自己的數據的權限:

ability.rb 

elsif user.has_role? :user
  can :update, User, id: user.id
else

user_controller.rb 

def update
  a = Ability.new(current_user)
  user = User.find params[:id]
  if a.can? :update, User, id: user.id
  ...

在任何ID上均返回true。

撬動附加數據: 

  [3] pry(main)> a = Ability.new(u)
  Role Load (0.7ms)  SELECT `roles`.* FROM `roles` INNER JOIN `users_roles` ON `roles`.`id` = `users_roles`.`role_id` WHERE `users_roles`.`user_id` = 3 AND (((roles.name = 'admin') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)))
  Role Load (0.4ms)  SELECT `roles`.* FROM `roles` INNER JOIN `users_roles` ON `roles`.`id` = `users_roles`.`role_id` WHERE `users_roles`.`user_id` = 3 AND (((roles.name = 'user') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)))
  => #<Ability:0x007f908ba931e8
  @rules=
   [#<CanCan::Rule:0x007f908be9b2b8
     @actions=[:update],
     @base_behavior=true,
     @block=nil,
     @conditions={:id=>3},
     @match_all=false,
     @subjects=
       [User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, sign_in_count: integer, current_sign_in_at: datetime, last_sign_in_at: datetime, current_sign_in_ip: string, last_sign_in_ip: string, created_at: datetime, updated_at: datetime, auth_token: string, name: string, surnames: string)]>],
     @rules_index=
       {User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, sign_in_count: integer, current_sign_in_at: datetime, last_sign_in_at: datetime, current_sign_in_ip: string, last_sign_in_ip: string, created_at: datetime, updated_at: datetime, auth_token: string, name: string, surnames: string)=>
[0]}>
[4] pry(main)> a.can? :update, User, id: 3
 => true
[5] pry(main)> a.can? :update, User, id: 2
 => true

我做錯了什么?

謝謝!

1 個解決方案

解決方案1
 1 已采納  2016-01-02 12:46:37

#app/models/ability.rb
class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.has_role? :user
      can :update, User, id: user.id
    else
      can :read, :all
    end
  end
end

#app/controllers/users_controller.rb
class UsersController < ApplicationController
   def update
      @user = User.find params[:id]
      authorize! :update, @user
      ...
   end
end

文檔

CanCanCan期望控制器中存在current_user方法。

您無需顯式調用Ability ,這可以通過authorize!來完成authorize! 還是can?

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Rails:使模型只能通過CanCanCan讀取和編輯自己的數據 CanCanCan 用戶編輯自己的個人資料 rails cancancan gem如何限制許可 如何使用CanCanCan從關系中獲得許可? 如何編寫用戶只能讀取其數據的CanCanCan Ability? CanCanCan 和 ForbiddenAttributesError 引擎中的加拿大人 通過能力檢查時為什么不顯示數據?(rails,cancancan) 測試CanCanCan能力定義 來賓用戶的 Cancancan 能力
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM