我用Devise和CanCan成功制作了登录系统,我有3种类型的用户。管理员、内部和全局用户。我创建了控制器和索引操作:Admin、Cpanel、Report 和 State,并且我想限制某些用户对此控制器的访问。
管理员用户应具有访问权限:报告(全部)、状态(读取)、管理员(全部)
全局用户应具有访问权限:报告(仅读取)、状态(读取)、Cpanel(全部)
内部用户应该具有访问权限:报告(全部)、状态(读取)
我尝试使用下列代码来执行此操作:ability.rs< /strong>:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role? :admin
can :manage, [Report, Admin]
can :read, State
elsif user.role? :global_user
can :read, [Report, State]
can :manage, Cpanel
elsif user.role? :internal_user
can :manage, Report
can :read, State
end
end
end
此时我在此控制器中只有索引操作,当我使用内部用户登录应用程序时,我可以访问 /admin,但这不是我想要的行为。我想限制对所有控制器的访问,而不是能力.rb 类中列出的控制器。
源代码在这里
I successfully made login system with Devise and CanCan, and I have 3 types of users. Admin, internal and global users. I created Controllers and index actions: Admin, Cpanel, Report and State, and I want to restrict access to this controllers for some users.
Admin user should have privilegies to access: Reports(all), State (read), Admin (all)
Global user should have privilegies to access: Reports(only read), State(read), Cpanel(all)
Internal user should have privilegies to access: Reports(all), State (read)
And I tried to do this with following code in ability.rs:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role? :admin
can :manage, [Report, Admin]
can :read, State
elsif user.role? :global_user
can :read, [Report, State]
can :manage, Cpanel
elsif user.role? :internal_user
can :manage, Report
can :read, State
end
end
end
At this time I have only index actions in this controllers, and when I login to app with internal user I CAN access to /admin for example, and that is not behavior that I want. I want to restrict access to all controllers instead of controllers listed in ability.rb class.
Source code is here
发布评论
评论(3)
如果我要阻止对整个控制器的访问,我会创建一个 before 过滤器,如果用户没有管理员角色,则将用户重定向到访问被拒绝的页面。可能看起来像这样:
例如,如果我只是想阻止对更新和创建的访问,我会这样做:
您可以在应用程序控制器中处理
CanCan::AccessDenied异常:我有一些非常好的关于 CanCan 和 Devise 的帖子 此处 和 此处
更新
我在应用程序控制器中使用此方法来设置当前的用户变量:
If I were going to prevent access to an entire controller, I would make a before filter that redirects the user to an access denied page if he does not have the admin role. Might look something like:
If I just wanted to prevent access to update and create, for example, I would do:
You can handle the
CanCan::AccessDeniedexception in your application controller:I have some pretty good posts about CanCan and Devise here and here
UPDATE
I use this method in my application controller to set my current user variable:
您需要向控制器添加对 cancan 授权的检查。
这可能只是
向状态控制器索引操作添加一行,对于所有其他索引操作也类似。
编辑:
抱歉,在状态控制器索引操作中,您可能没有 @state,因此上述内容不适用。可能类似
还有一个
load_and_authorize方法,您可以使用它来组合控制器中多个操作的授权并减少代码。 类似load_and_authorize版本可能与load_and_authorize_resource :state,它应该位于您的操作之前。
您可能需要查看railscast on cancan 授权以获得完整的基本设置(在 Rails2) 中。
我怀疑要解决其他问题,我们可能需要查看更多代码。尝试发布一些控制器代码。
我没有在rails3中使用过这个,但我认为它的大部分或多或少都是相似的。
You need to add checks for the cancan authorization to your controllers.
This might be just adding a line like
to your state controller index action, and similarly for all the other index actions.
EDIT:
Sorry, in a state controller index action, you likely don't have @state, so the above wouldn't apply. Possibly something like
There is also a
load_and_authorizemethod that you can use to combine authorization for multiple actions in a controller and reduce your code. Theload_and_authorizeversion is likely to look similar toload_and_authorize_resource :state
and it should be before your actions.
You might want to look at this railscast on cancan authorization for a complete basic setup (in rails2).
I suspect to clear up other problems, we might need to see some more code. Try posting some of your controller code.
I haven't used this in rails3, but I assume most of it remains more or less similar.
我解决了这个问题
,但是,请注意,我必须将
@current_user更改为current_user(不带@)谢谢托尼
I solved this problem with
but, note that I must to change
@current_usertocurrent_user(without @)Thanks Tony