用户模型声明式授权“if_attribute”问题

发布于 2024-09-03 02:26:22 字数 1176 浏览 13 评论 0原文

我正在使用 authlogic (2.1.3) 和 declarative_authorization (0.4.1) 来控制对我的应用程序的访问。

所有授权均按预期工作,除了分配有编辑者角色的用户无法更改其(由 authlogic 提供的 current_user)配置文件设置(用户模型的一部分)之外。

“来宾”角色按预期工作,“管理员”角色也是如此。

我正在使用已分配编辑者角色的用户(名为“bob”)。在数据库和 IRB 会话中进行验证。

authorization_rules.rb文件的相关内容:

  role :guest do

    # allow anonymous 'user' to create an account
    has_permission_on :users, :to => [:new, :create]

    # allow anonymous 'user' 'read-only' actions
    has_permission_on :users, :to => [:index, :show]

  end

  role :editor do

    # allow authenticated User to see other users
    has_permission_on :users, :to => [:index, :show]

    # allow authenticated User to update profile; doesn't work
    has_permission_on :user, :to => [:edit, :update] do
       if_attribute :user => is { user }
    end

  end

  role :administrator do

    # 'full control'    
    has_permission_on :users, :to => [:index, :show, :new, :create, :edit, :update, :destroy]

  end

我认为问题与if_attribute :user =>有关{用户}。 if_attribute 似乎表明 :user 应该是正在测试的事物的属性(或属性),在本例中是用户模型,而不是事物本身。我寻找 if_self 方法或类似的方法,但我没有看到任何东西。

感谢帮助。

I am using authlogic (2.1.3) and declarative_authorization (0.4.1) to control access to my application.

All of the authorization works as expected except user's that are assigned the Editor role can't change their (the current_user supplied by authlogic) profile settings (a part of the User model).

The 'Guest' role works as expects, as does the 'Administrator'.

I am using a User (named 'bob') that has been assigned the Editor role. Verified in the database and in an IRB session.

Relevant contents of authorization_rules.rb file:

  role :guest do

    # allow anonymous 'user' to create an account
    has_permission_on :users, :to => [:new, :create]

    # allow anonymous 'user' 'read-only' actions
    has_permission_on :users, :to => [:index, :show]

  end

  role :editor do

    # allow authenticated User to see other users
    has_permission_on :users, :to => [:index, :show]

    # allow authenticated User to update profile; doesn't work
    has_permission_on :user, :to => [:edit, :update] do
       if_attribute :user => is { user }
    end

  end

  role :administrator do

    # 'full control'    
    has_permission_on :users, :to => [:index, :show, :new, :create, :edit, :update, :destroy]

  end

I believe that the problem relates to the if_attribute :user => { user }. if_attribute seems to suggest that the :user should be an attribute (or property) of the thing being tests, in this case a User model, rather than being the thing itself. I looked for an if_self method or something similar, but I didn't see anything.

Help is appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

夜吻♂芭芘 2024-09-10 02:26:22

找到了解决方案;正如我怀疑的那样,它确实与 if_attribute 方法有关。正确的角色设置是:

role :editor do

  # allow authenticated user to see other users
  has_permission_on :users, :to => [:index, :show]

  # allow authenticated user to update profile
  has_permission_on :users, :to => [:edit,:update] do
    if_attribute :id => is { user.id }
  end

end

Found the solution; it did related to the if_attribute method as I suspected. The correct role setting is:

role :editor do

  # allow authenticated user to see other users
  has_permission_on :users, :to => [:index, :show]

  # allow authenticated user to update profile
  has_permission_on :users, :to => [:edit,:update] do
    if_attribute :id => is { user.id }
  end

end
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文