CanCan :read 和 [:index, :show] 之间的区别吗?
根据所有文档, :read 操作是 :index 和 :show 的别名:
alias_action :index, show, :to => :read
但是,请考虑以下具有嵌套资源的场景:
resources :posts
resources :comments
end
如果我这样定义能力:
# ability.rb
can :read, Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
事情按预期进行。但是,如果我将 :read 操作更改为 [:index, :show]:
# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
我无权访问 /posts/:post_id/comments、/posts /:post_id/comments/:id 等。但是,我仍然可以访问 posts_controller 的 :index 和 :show代码>.
如果这些行为的行为不同,它们怎么可能是“别名”呢?
在我的摆弄中,我还遇到了以下情况。将 load_and_authorize_resource 更改为以下允许的访问权限:
# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
有人可以解释一下这里发生了什么吗?
According to all documentation, the :read action is aliased to both :index and :show:
alias_action :index, show, :to => :read
However, consider the following scenario with nested resources:
resources :posts
resources :comments
end
If I define abilities like this:
# ability.rb
can :read, Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
things work as expected. However, if I change the :read action to [:index, :show]:
# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
I am unauthorized to access /posts/:post_id/comments, /posts/:post_id/comments/:id, etc. I still, however, can access both :index and :show for the posts_controller.
How is possible that these actions are "aliased", if they behave differently?
In my fiddling, I also came across the following. Changing load_and_authorize_resource to the following allowed access:
# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
Can someone explain what's going on here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我将此作为问题发布在 GitHub 上。瑞安回应如下:
https://github.com/ryanb/cancan/issues/302#comment_863142
I posted this as an issue on GitHub. Ryan responded with the following:
https://github.com/ryanb/cancan/issues/302#comment_863142