leo*_*nel 6 ruby ruby-on-rails cancan activeadmin
我设置了属于客户类的admin_users(客户是公司).所以客户有很多admin_users.
我正在尝试限制对属于某个客户的货件记录的访问权限.我不希望客户观看其他客户的数据.所以我设置了它,但似乎什么也没做......
课程能力包括CanCan :: Ability
def initialize(user)
user ||= AdminUser.new
if user.role == "administrator"
can :manage, :all
else
cannot :create, :all
cannot :update, :all
cannot :destroy, :all
can :read, Shipment do |shipment|
shipment.customer == user.customer
end
end
end
end
我确实在shipping.rb中有这个...
ActiveAdmin.register Shipment do
menu :if => proc{ can?(:read, Shipment) }, :priority => 1
controller.authorize_resource
index do
column "File #", :sortable => :file_number do |shipment|
link_to shipment.file_number, admin_shipment_path(shipment)
end
[... more columns ...]
default_actions if can? :manage, Shipment
end
show :title => :file_number do
panel "Shipment Details" do
attributes_table_for shipment do
row("File number") {shipment.file_number}
row("Mode") {shipment.mode}
row("Ocean Rate") { number_to_currency shipment.ocean_rate}
row("Customer") { link_to shipment.customer.company_name, admin_customer_path(shipment.customer)}
row("Shipper") { link_to shipment.shipper.company_name, admin_shipper_path(shipment.shipper)}
row("Broker") { link_to shipment.broker.company_name, admin_broker_path(shipment.broker)}
end
end
[...more show action stuff...]
因此,在索引页面中,所有货件都会显示出来,如果我以客户A身份登录并单击客户B的货件,我可以看到它,但它应该阻止我.
更多信息...
shipments_controller.rb
class ShipmentsController < InheritedResources::Base
before_filter :authenticate_admin_user!
end
我不知道为什么它不起作用,但can? :read, Shipment不会查找can :read, Shipment do |shipment| ....
要验证此权限,您必须指定 Shipment 的特定实例,如下所示can :read, @shipment。
menu :if => ...在呼叫您的线路之前,您需要找到一种方法来获取所访问的货件的实例。
您是否尝试使用controller.load_and_authorize_resource而不是仅authorize_resource?
| 归档时间: |
|
| 查看次数: |
3711 次 |
| 最近记录: |