![](/img/trans.png)
[英]How to restrict who can invite users with devise_invitable and cancancan
[英]Devise and Cancancan - How to make it work?
自從昨天我從Pundit(因為太難了)切換到Cancancan(對我來說看起來更好)之后,我正在制作一個Web應用程序(聊天)。
我試圖使工作變得簡單,例如顯示所有文章及其選項(顯示,編輯,銷毀),然后對其設置權限,以便創建該文章的唯一用戶將能夠編輯或銷毀該文章。
問題是我不了解如何完全實施它。 Google缺少示例,而這些示例大多已過時。
這是我所擁有的:
Ability.rb- 我不知道這是否正確
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, :all
else
can :read, :all
end
can :read, :articles
can :create, :articles
end
end
User.rb (Devise)
class User
include Mongoid::Document
has_many :articles
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
## Database authenticatable
field :username, type: String, default: ""
field :email, type: String, default: ""
field :encrypted_password, type: String, default: ""
## Recoverable
field :reset_password_token, type: String
field :reset_password_sent_at, type: Time
## Rememberable
field :remember_created_at, type: Time
## Trackable
field :sign_in_count, type: Integer, default: 0
field :current_sign_in_at, type: Time
field :last_sign_in_at, type: Time
field :current_sign_in_ip, type: String
field :last_sign_in_ip, type: String
## Admin
field :admin, :type => Boolean, :default => false
end
Article.rb
class Article
include Mongoid::Document
belongs_to :user
field :title, type: String
field :content, type: String
default_scope -> { order(created_at: :desc) }
end
index.html (顯示文章-僅是我添加Cancancan的部分)
<tbody>
<% @articles.each do |article| %>
<tr>
<td><%= article.title %></td>
<td><%= article.content %></td>
<td><%= link_to 'Show', article %></td>
<td>
<% if can? :update, @article %>
<%= link_to 'Edit', edit_article_path(article) %>
<% end %>
</td>
<td><%= link_to 'Destroy', article, method: :delete, data: { confirm: 'Are you sure?' } %></td>
</tr>
<% end %>
</tbody>
您需要在Ability
文件中按類定義權限:
#app/models/ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, :all
else
can :read, :all
end
can [:credit, :edit, :update, :destroy], Article, user_id: user.id
end
end
-
#app/views/articles/index.html.erb
<tbody>
<% @articles.each do |article| %>
<tr>
<td><%= article.title %></td>
<td><%= article.content %></td>
<td><%= link_to 'Show', article %></td>
<td><%= link_to 'Edit', article if can? :update, article %></td>
<td><%= link_to 'Destroy', article, method: :delete, data: { confirm: 'Are you sure?' } if can? :destroy, article %></td>
</tr>
<% end %>
</tbody>
Devise
說Devise
要考慮的第二個重要因素是Devise
=身份驗證; CanCanCan
=授權:
- 身份驗證 =用戶已登錄?
- 授權 =用戶可以這樣做嗎?
我看到很多人在完全錯誤地發布有關使用Devise
“授權”的信息。 Devise
僅處理身份驗證(用戶已登錄?); 在處理授權時 ,您需要使用不同的模式,以利用Devise創建的user
對象。
考慮到您在原始帖子中提到了Devise
,只想指出這一點。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.