继承资源和 CanCan 3 级嵌套

发布于 2024-10-24 21:45:53 字数 772 浏览 5 评论 0原文

我在 CanCan 中结合继承资源进行 3 级模型嵌套时遇到问题。我读过我们应该将所有内容嵌套到 2 层,但我必须将所有内容都放在 account 模型下,现在我尝试在 CanCan 中执行此操作:

load_and_authorize_resource :account
load_and_authorize_resource :project, :through => :account
load_and_authorize_resource :model, :through => :project

这给了我 @account 变量,该变量具有@project 的值,就像它覆盖了它一样。 @project 是应该的,@model 也是如此。是我的错、CanCan 的错、继承资源的错还是 CanCan 不支持 3 层嵌套?另外,我在 IR 中为 ModelsController 执行此操作。

belongs_to :account, :finder => :find_by_name! do
  belongs_to :project, :finder => :find_by_name!
end

另一个奇怪的事情是当我从 CanCan 的定义中删除 load_and_ 部分时。然后它就可以工作了,但我读到不使用 load 部分可能会很危险。

我可以仅使用 authorize_resource 还是应该使用 CanCan 执行某些操作?

I have a problem with 3 levels nesting of models in CanCan combined with Inherited Resources. I've read that we should nest everything up to 2 levels, but I had to put everything under account model and now I've tried doing this in CanCan:

load_and_authorize_resource :account
load_and_authorize_resource :project, :through => :account
load_and_authorize_resource :model, :through => :project

That gives me @account variable that has a value of @project, like it is overwriting that. @project is what is supposed to be and @model too. Is that fault of mine, CanCan's, Inherited Resources or just CanCan isn't supporting 3 levels nesting? Also, I do this in IR for the ModelsController.

belongs_to :account, :finder => :find_by_name! do
  belongs_to :project, :finder => :find_by_name!
end

Another strange thing is when i remove the part load_and_ from CanCan's definition. It works then, but I've read that it can be dangerous not to use the load part.

Can I use only the authorize_resource or should I do something with CanCan?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

ま昔日黯然 2024-10-31 21:45:53

据我所知,您的授权是正确的。

CanCan gem 的开发者 ryan 发布了它的行为方式:https://github。 com/ryanb/cancan/issues/127#issuecomment-364475

这意味着您的

load_and_authorize_resource :account
load_and_authorize_resource :project, :through => :account
load_and_authorize_resource :model, :through => :project

意愿最终会出现在这样的块中(此处:创建操作。对于其他操作,最后一个应该是和 @model 更改):

@account = Account.find(params[:account_id])
authorize! :read, @account
@project = @account.projects.find(params[:project_id])
authorize! :read, @project
@model = @project.models.build
authorize! :new, @model

我希望这个答案可以帮助开发人员寻找嵌套的 cancan 授权:-)。

来源:https://github.com/ryanb/cancan/issues/127#issuecomment -364475


ps:/accounts/1/projects/2/models/new 的错误行为:

load_and_authorize_resource :project
load_and_authorize_resource :model, :through => :project

这是一种安全问题,因为这会导致

@project = Project.find(params[:project_id])
[...]

,并且不检查当前帐户是否允许读取链接帐户“1”。
并且它不会检查项目“2”是否确实是帐户“1”的项目。

Your authorizations have been correct as far as I can say.

The developer of the CanCan gem ryan posted how this should behave: https://github.com/ryanb/cancan/issues/127#issuecomment-364475

That means that your

load_and_authorize_resource :account
load_and_authorize_resource :project, :through => :account
load_and_authorize_resource :model, :through => :project

will end up in an block like this (here: create action. For other actions should the last authorize! and the @model change):

@account = Account.find(params[:account_id])
authorize! :read, @account
@project = @account.projects.find(params[:project_id])
authorize! :read, @project
@model = @project.models.build
authorize! :new, @model

I hope that this answer can help developers looking for nested cancan authorization :-) .

source: https://github.com/ryanb/cancan/issues/127#issuecomment-364475


ps: wrong behavior for /accounts/1/projects/2/models/new:

load_and_authorize_resource :project
load_and_authorize_resource :model, :through => :project

This is kind of a security issue, because this will do

@project = Project.find(params[:project_id])
[...]

, and does not check if the current account is allowed to read the linked account '1'.
And it does not check, if the project '2' is really a project of account '1'.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文