继承资源和 CanCan 3 级嵌套
我在 CanCan 中结合继承资源进行 3 级模型嵌套时遇到问题。我读过我们应该将所有内容嵌套到 2 层,但我必须将所有内容都放在 account 模型下,现在我尝试在 CanCan 中执行此操作:
load_and_authorize_resource :account
load_and_authorize_resource :project, :through => :account
load_and_authorize_resource :model, :through => :project
这给了我 @account 变量,该变量具有@project 的值,就像它覆盖了它一样。 @project 是应该的,@model 也是如此。是我的错、CanCan 的错、继承资源的错还是 CanCan 不支持 3 层嵌套?另外,我在 IR 中为 ModelsController 执行此操作。
belongs_to :account, :finder => :find_by_name! do
belongs_to :project, :finder => :find_by_name!
end
另一个奇怪的事情是当我从 CanCan 的定义中删除 load_and_ 部分时。然后它就可以工作了,但我读到不使用 load 部分可能会很危险。
我可以仅使用 authorize_resource 还是应该使用 CanCan 执行某些操作?
I have a problem with 3 levels nesting of models in CanCan combined with Inherited Resources. I've read that we should nest everything up to 2 levels, but I had to put everything under account model and now I've tried doing this in CanCan:
load_and_authorize_resource :account
load_and_authorize_resource :project, :through => :account
load_and_authorize_resource :model, :through => :project
That gives me @account variable that has a value of @project, like it is overwriting that. @project is what is supposed to be and @model too. Is that fault of mine, CanCan's, Inherited Resources or just CanCan isn't supporting 3 levels nesting? Also, I do this in IR for the ModelsController.
belongs_to :account, :finder => :find_by_name! do
belongs_to :project, :finder => :find_by_name!
end
Another strange thing is when i remove the part load_and_ from CanCan's definition. It works then, but I've read that it can be dangerous not to use the load part.
Can I use only the authorize_resource or should I do something with CanCan?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
据我所知,您的授权是正确的。
CanCan gem 的开发者 ryan 发布了它的行为方式:https://github。 com/ryanb/cancan/issues/127#issuecomment-364475
这意味着您的
意愿最终会出现在这样的块中(此处:创建操作。对于其他操作,最后一个应该是和 @model 更改):
我希望这个答案可以帮助开发人员寻找嵌套的 cancan 授权:-)。
来源:https://github.com/ryanb/cancan/issues/127#issuecomment -364475
ps:/accounts/1/projects/2/models/new 的错误行为:
这是一种安全问题,因为这会导致
@project = Project.find(params[:project_id])
[...]
,并且不检查当前帐户是否允许读取链接帐户“1”。
并且它不会检查项目“2”是否确实是帐户“1”的项目。
Your authorizations have been correct as far as I can say.
The developer of the CanCan gem ryan posted how this should behave: https://github.com/ryanb/cancan/issues/127#issuecomment-364475
That means that your
will end up in an block like this (here: create action. For other actions should the last authorize! and the @model change):
I hope that this answer can help developers looking for nested cancan authorization :-) .
source: https://github.com/ryanb/cancan/issues/127#issuecomment-364475
ps: wrong behavior for /accounts/1/projects/2/models/new:
This is kind of a security issue, because this will do
@project = Project.find(params[:project_id])
[...]
, and does not check if the current account is allowed to read the linked account '1'.
And it does not check, if the project '2' is really a project of account '1'.