mar*_*ion 5 ruby-on-rails cancan ruby-on-rails-4 cancancan
我对如何正确配置CanCanCan感到有点困惑.
对于初学者,我是否必须添加load_and_authorize_resource到我想限制访问的每个控制器资源?
这就是我想做的事情:
这就是我的ability.rb样子:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
#Admin
if user.has_role? :admin
can :manage, :all
can :manage, :newsroom
# Editor
elsif user.has_role? :editor
can :read, :all
can :manage, :newsroom
can :manage, Post
#Member
elsif user.has_role? :member
can :read, :all
can :create, Post
can :status, Post
can :update, Post do |post|
post.try(:user) == user
end
#Guest
else
can :read, :all
can :create, Post
can :status, Post
end
end
end
在我,routes.rb我有这个:
authenticate :user, lambda { |u| u.has_role? :admin or :editor } do
get 'newsroom', to: 'newsroom#index', as: "newsroom"
get 'newsroom/published', to: 'newsroom#published'
get 'newsroom/unpublished', to: 'newsroom#unpublished'
end
但是,当我使用尚未分配任何角色的用户(即我想成为"访客")登录时,他们可以访问新闻室.
当我尝试编辑具有角色的帖子时:member,它会给我一个"未授权编辑帖子"错误(这是正确的).
我只是不能完全锁定Newsroom,我不知道为什么.
您不需要load_and_authorize_resource在每个控制器中使用.这是一个方便的宏,做两件事.首先,它为实例变量分配为当前控制器和操作假定的记录.然后它授权该资源.对于某些控制器操作,第一步可能是错误的,因此您希望加载资源,然后手动对其进行授权.关于CanCan的Railscasts插曲中的一个例子是这样的:
def edit
@article = Article.find(params[:id])
unauthorized! if cannot? :edit, @article
end
您也可以像在CanCan Wiki上用于授权控制器的示例那样执行此操作:
def show
@project = Project.find(params[:project])
authorize! :show, @project
end
或者您可以authorize_resource自己使用并注意加载它.最后,您必须确保CanCan以某种方式用于授权(控制器宏或每个操作).关于你的能力,我想你想要这样的东西:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
#Admin
if user.has_role? :admin
can :manage, :all
# Editor
elsif user.has_role? :editor
can :read, :all
can :manage, :newsroom
can :manage, Post
#Member
elsif user.has_role? :member
can :read, :all
can :create, Post
can :status, Post
can :update, Post do |post|
post.try(:user) == user
end
#Guest
else
can :read, :all
cannot [:index, :published, :unpublished], :newsroom
end
end
end
这里有一个例子,比如您可以如何授权您的新闻编辑室:
class ToolsController < ApplicationController
authorize_resource :class => false
def show
# automatically calls authorize!(:show, :tool)
end
end
关于CanCan的最后一个个人注意事项是,我不建议将它用于新项目,因为它不再被主动维护,并且在定义能力时我发现它有点违反直觉.也就是说,CanCan是我合作过的最有据可查的宝石之一,尤其是wiki有大量的例子和解释.
对于它的价值,我必须NewsroomController这样设置:
class NewsroomController < ApplicationController
authorize_resource :class => false
这是我的工作版本在ability.rb我使用我需要的权限后的样子:
#Roles
#Admin
if user.has_role? :admin
can :manage, :all
# Editor
elsif user.has_role? :editor
can :manage, :newsroom
can :manage, Post
#Member
elsif user.has_role? :member
can [:read, :create, :status], Post
can :update, Post do |post|
post.try(:user) == user
end
#Guest
else
can [:read, :status], Post
end
| 归档时间: |
|
| 查看次数: |
8371 次 |
| 最近记录: |