Pet*_*xey 4 ruby-on-rails cancan
我有一个嵌套资源,我正在使用 Cancan 对其进行授权。我需要能够访问父对象才能授权子对象的:index操作(因为没有为:index操作传递子实例)。
# memberships_controller.rb
class MembershipsController < ApplicationController
...
load_and_authorize_resource :org
load_and_authorize_resource :membership, through: :org
..
end
能力.rb
can [:read, :write], Membership do |membership|
membership.org.has_member? user
end
不幸的是,索引操作没有任何关联的成员资格实例,因此您无法通过备份来检查权限。
为了检查权限,我需要询问父对象(组织)并询问它当前用户是否是成员,例如
# ability.rb
...
can :index, Membership, org: { self.has_member? user }
Cancan 声明您可以使用以下机制访问父母的属性:https : //github.com/ryanb/cancan/wiki/Nested-Resources#wiki-accessing-parent-in-ability
# in Ability
can :manage, Task, :project => { :user_id => user.id }
然而,这只是通过比较对我的情况不起作用的属性来工作。
有没有办法在权限内访问父对象本身?
我最近遇到了同样的问题,结果如下(假设你有Org模型):
class MembershipsController < ApplicationController
before_action :set_org, only: [:index, :new, :create] # if shallow nesting is enabled (see link at the bottom)
before_action :authorize_org, only: :index
load_and_authorize_resource except: :index
# GET orgs/1/memberships
def index
@memberships = @org.memberships
end
# ...
private
def set_org
@org = Org.find(params[:org_id])
end
def authorize_org
authorize! :access_memberships, @org
end
end
能力.rb:
can :access_memberships, Org do |org|
org.has_member? user
end
https://github.com/ryanb/cancan/issues/301
http://guides.rubyonrails.org/routing.html#shallow-nesting