CanCan 嵌套资源控制器授权
在我的应用程序中,允许用户指定另一个用户作为他们的“客户经理”,并且客户经理将被允许修改所有用户信息。我定义了以下能力:
can :manage, User do |user|
user == current_user or user.account_manager == current_user
end
用户还拥有一些嵌套资源(例如:出版物)。我定义了以下功能:
can :manage, Publication do |publication, user|
publication.user == current_user or user == current_user or user.account_manager == current_user
end
在视图中我使用以下内容进行检查:可以吗? :更新,@publication,@user_we_are_accessing可以吗? :创建,Publication.new,@user_we_are_accessing。
到目前为止一切都很好。我的问题出在控制器上。在我的 PublicationsController 中我添加了:load_and_authorize_resource:用户
load_and_authorize_resource :publication, :through =>; :user
但是,这总是抛出 AccessDenied,因为发布检查没有将用户对象传递给能力(尝试检查能力中的用户对象显示 nil)。
我有什么想法可以实施这个吗?
tl;dr:使用 CanCan 授权对资源的访问。用户可以指定其他用户作为客户经理。用户有嵌套资源。问题:客户经理无法访问嵌套资源。
In my application, a user is allowed to assign another user as their "account manager" and the account manager would be allowed to modify all user info. I defined the following ability:
can :manage, User do |user|
user == current_user or user.account_manager == current_user
end
A user also has some nested resources (e.g: publications). I defined the following ability:
can :manage, Publication do |publication, user|
publication.user == current_user or user == current_user or user.account_manager == current_user
end
In the views I check using the following:can? :update, @publication, @user_we_are_accessingcan? :create, Publication.new, @user_we_are_accessing.
Everything works just fine so far. My problem is with the controller. In my PublicationsController I added:load_and_authorize_resource :userload_and_authorize_resource :publication, :through => :user
However this always throws AccessDenied, because the check for publication is not passing the user object to the ability (trying to inspect the user object in the ability shows nil).
Any ideas how I can go about implementing this?
tl;dr: Using CanCan to authorize access to resources. User can assign another user as account manager. User has nested resources. Problem: nested resource is not accessible by account manager.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我通过执行以下操作解决了这个问题:
1) 将
load_and_authorize_resource :publication替换为仅加载资源load_resource :publication2)在 load_resource 调用之后添加了一个
before_filter :authorize,并使用以下实现:这可行,但我希望有一种方法可以以设计方式解决这个问题,如果有这样的事情。感谢您的想法和反馈。
I solved this by doing the following:
1) replaced
load_and_authorize_resource :publicationwith just loading the resourceload_resource :publication2) Added a
before_filter :authorizeafter the load_resource call with the following implementaiton:This works, but I was hoping for a way that would solve this in the devise way, if there is such a thing. Thoughts and feedback are appreciated.