Rails 用户 ->角色 ->权限设置
我正在研究角色/权限设置,但似乎无法使其按预期工作。
class User < ActiveRecord::Base
has_and_belongs_to_many :roles, :join_table => "users_roles"
has_many :permissions, :through => :roles
class Role < ActiveRecord::Base
has_and_belongs_to_many :users
has_and_belongs_to_many :permissions, :join_table => "roles_permissions"
class Permission < ActiveRecord::Base
has_and_belongs_to_many :roles
我希望能够直接从我的用户对象(user.roles、user.permissions)访问角色和权限。
user.roles 正在工作,但我似乎无法让 user.permissions 工作。有人可以帮助我吗?
另一种方法是使用 Devise + CanCan 等插件。然而,我确实对使用插件进行身份验证和授权等重要事情存在一些担忧 - 如果它们停止使用会发生什么?有谁对此有看法吗?
谢谢!
I'm working on a roles/permissions setup but can't seem to get it working as intended.
class User < ActiveRecord::Base
has_and_belongs_to_many :roles, :join_table => "users_roles"
has_many :permissions, :through => :roles
class Role < ActiveRecord::Base
has_and_belongs_to_many :users
has_and_belongs_to_many :permissions, :join_table => "roles_permissions"
class Permission < ActiveRecord::Base
has_and_belongs_to_many :roles
What i would like is to be able to access Roles and Permissions directly from my user object (user.roles, user.permissions).
user.roles is working, but i cant seem to get user.permissions to work. Is there anyone who can help me out?
Another approach would be use plugins like Devise + CanCan. I do however have some concerns about using plugins for things as essential as authentication and authorization - what happens if they get discontinued? Anyone who has a view on this?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
CanCan 用于授权。 Authlogic 和 Devise 用于身份验证。授权和身份验证是 Web 应用程序的两个不同但通常相关的方面。
我有一种感觉,您不能使用
has_many :through来引用has_and_belongs_to_many关联。我认为has_many :through必须引用has_many关联。但我找不到任何明确的信息。也许其他人知道?我从不推出自己的身份验证,因为 Devise 和 Authlogic 都能很好地完成这项工作并且易于扩展(尤其是 Devise)。安全散列的最佳实践是内置的。 OpenID 和 Facebook 身份验证是简单的附加组件。为什么要重新发明轮子?最坏的情况是,他们将来某个时候将得不到支持。对我来说这没什么大不了的,因为我仍然拥有源代码,所以我没有什么可以失去的,也没有什么可以得到的。
如果您不需要动态的权限,我会将您的权限(也称为某些角色的用户可以执行的操作)硬编码到 CanCan 能力文件中。您可能也不需要角色的数据库表,除非您想要存储其他元数据。我建议避免 has_and_belongs_to_many 关联,因为大多数应用程序最终需要将附加数据与连接表关联。这将是一个需要考虑的解决方案。有更简单和更复杂的方法来完成同一件事。
CanCan is for authorization. Authlogic and Devise are for authentication. Authorization and authentication are two different but usually related facets of a web application.
I have a feeling that you cannot use
has_many :throughto reference ahas_and_belongs_to_manyassociation. I think ahas_many :throughmust reference ahas_manyassociation. I couldn't find any definitive info though. Maybe someone else knows?I never roll my own authentication because Devise and Authlogic both do the job very well and are easy to extend (Devise especially). Best practices for secure hashing is built-in. OpenID and Facebook authentication are simple add-ons. Why re-invent the wheel? Worst case they go unsupported sometime in the future. To me that's no big deal because I still have the source code so I had nothing to loose and everything to gain.
If you don't need your permissions do be dynamic I would hard code your permissions (aka the actions that users in certain roles can perform) in to the CanCan abilities file. You probably don't need a database table for roles either, unless there is additional metadata you want to store. I recommend avoiding has_and_belongs_to_many associations because most applications will eventually require additional data be associated with the joining table. This would be one solution to consider. There are simpler and more complex ways to accomplish to same thing.
我认为你最好使用 CanCan 来实现角色等身份验证。
但是如果你仍然想从用户模型访问“权限”,我猜你可以在用户模型中这样做:
不过还没有测试过。
您应该检查这个也出来了。
I think you'd be better off using CanCan to achieve authentications with roles etc.
But if you still want to access "permissions" from user model, I am guessing you can do like this in User model:
Haven't tested though.
You should check this out too.