[英]CanCanCan: :read ability, but can update and create
我在名稱空間中有嵌套資源
namespace :myns do
resources :dashboards do
resources :advertisements
end
end
我向應用程序控制器添加了check_authorization,並配置了控制器
class Myns::DashboardsController < ApplicationController
load_and_authorize_resource :myns_dashboard, class: Myns::Dashboard
end
class Myns::AdvertisementsController < ApplicationController
load_and_authorize_resource :myns_dashboard, class: Myns::Dashboard
load_and_authorize_resource :myns_advertisement, class: Myns::Advertisement, :through => :myns_dashboard
技能類別為:
class Ability
include CanCan::Ability
def initialize(user, dashboard_id)
user ||= User.new # guest user (not logged in)
can :show, Myns::Dashboard, id: dashboard_id
can :read, Myns::Advertisement, :myns_dashboard => { :id => dashboard_id }
end
end
當我在控制台中為用戶加載功能並詢問該用戶是否可以更新ID為6的廣告時,它說“否”
user = User.first
ability = Ability.new(user, 1)
advertisement = Myns::Advertisement.find 6
ability.can? :update, advertisement
=> false
但是,當我打開瀏覽器時,以ID為1的用戶身份登錄並直接瀏覽到http:// localhost / myns / dashboards / 1 / advertisements / 6 / edit ,該站點顯示無任何錯誤。 我可以編輯字段並提交更改,它們將保存在數據庫中。
我還可以打開http:// localhost / myns / dashboards / 1 / advertisements / new並創建新的數據集。
所以很明顯,我忽略了一些東西……什么?
您是否在ApplicationController中重寫current_ability以便將第二個參數提供給Ability構造函數? 我不確定服務器版本如何獲得與控制台示例顯示的信息相同的信息。
如果用戶可以管理組,CanCanCan 能夠創建邀請資源
[英]CanCanCan ability to create Invite resource if User can manage Group
如果能力類(CanCanCan)中的cannot:manage,Post為什么用戶可以創建帖子?
[英]Why can user create posts if `cannot :manage, Post` in Ability class (CanCanCan)?
如何編寫用戶只能讀取其數據的CanCanCan Ability?
[英]How to write CanCanCan Ability for user to read only their data?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.