jquery ui 自动完成、rails3 和 CanCan 模型访问问题
我的 Rails 应用程序中有 CanCan 定义的各种角色。我最近实现了 jQuery UI 自动完成并且效果很好。问题是,当我提交表单时,模型中出现的 find_by_name 可以找到不属于 current_user 的记录。我的观点如下:
<strong><%= f.label :inventory_name, "Material" %></strong>
<%= f.text_field :inventory_name, :class => "inputbox" %><br>
我的 jQuery 看起来像:
jQuery("input[id$=_inventory_name]").autocomplete({
source: '/ajax/inventory',
minLength: 2
});
然后我有一个 ajax 控制器可以做正确的事情:
def inventory
inventory = Inventory.accessible_by(current_ability)
if params[:term]
like= "%".concat(params[:term].concat("%"))
names = inventory.where("name LIKE ?", like)
else
names = inventory
end
list = names.map {|u| Hash[ :id => u.id, :label => u.name, :name => u.name]}
render :json => list
end
但我的模型没有:
def inventory_name=(name)
inventory = Inventory.find_by_name(name)
if inventory
self.inventory_id = inventory.id
else
errors[:inventory_name] << "Invalid name entered"
end
end
def inventory_name
Inventory.find(inventory_id).name if inventory_id
end
find_by_name 将返回它找到的第一个匹配项,无论谁拥有它。理想情况下我想更改为:
inventory = Inventory.find_by_name(name)
但是
inventory = Inventory.accessible_by(current_ability).find_by_name(name)
这违反了 MVC 的原则,更不用说模型无法访问 current_ability、current_user 等。所以我的问题是,如何将此逻辑移至我可以访问这些内容的控制器中?我似乎无法理解它:(
I have various roles defined by CanCan in my rails application. I recently implemented jQuery UI autocomplete and it works well. The problem is that when I submit the form, the find_by_name that occurs in the model can find records that do not belong to the current_user. I have the following in my view:
<strong><%= f.label :inventory_name, "Material" %></strong>
<%= f.text_field :inventory_name, :class => "inputbox" %><br>
And my jQuery looks like:
jQuery("input[id$=_inventory_name]").autocomplete({
source: '/ajax/inventory',
minLength: 2
});
Then I have an ajax controller that does the right thing:
def inventory
inventory = Inventory.accessible_by(current_ability)
if params[:term]
like= "%".concat(params[:term].concat("%"))
names = inventory.where("name LIKE ?", like)
else
names = inventory
end
list = names.map {|u| Hash[ :id => u.id, :label => u.name, :name => u.name]}
render :json => list
end
But my model does not:
def inventory_name=(name)
inventory = Inventory.find_by_name(name)
if inventory
self.inventory_id = inventory.id
else
errors[:inventory_name] << "Invalid name entered"
end
end
def inventory_name
Inventory.find(inventory_id).name if inventory_id
end
find_by_name will return the first match it finds regardless of who owns it. Ideally I'd like to change:
inventory = Inventory.find_by_name(name)
to
inventory = Inventory.accessible_by(current_ability).find_by_name(name)
But that violates the principles of MVC not to mention the model has no access to current_ability, current_user or the like. So my question is, how to I move this logic into my controller where I have access to these things? I can't seem to wrap my head around it :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我认为您需要做的就是让控制器中的创建和更新操作检查
Inventory.accessible_by(current_ability)。I think all you need to do is make your create and update actions in your controller check
Inventory.accessible_by(current_ability).我最终需要一个前后过滤器:
...
我不确定这是否是最好的方法,但它有效。
I ended up needing both a before and after filter:
...
I'm not sure if it is the best way to do it, but it works.
我知道这已经很旧了,但我遇到了完全相同的问题,直到现在才被难住。我最终为其他人提供了一个更简单的解决方案。
在我的示例中, current_user 创建一个作业,并且该作业需要为其分配一个客户(也属于当前用户)。 jQuery UI 自动完成用于搜索客户,当然我只希望属于当前用户的客户可分配给正在创建的作业,与原始问题中的情况非常相似。我的最终解决方案只是将 user_id 的隐藏字段添加到新作业表单中,并在调用新操作时用 user_id 填充。
这样,在模型中,我们可以使用 self.user_id 获取 user_id (获取隐藏字段中的值),然后将其用作查找的搜索条件的一部分。为了便于阅读,我已将 self.user_id 分配给变量“user”。
就这么简单,现在除非搜索词(在本例中为:fullname)和 user_id 在 Customer 模型中匹配,否则不会返回结果,并且用户需要重试,即使记录具有相同的全名存在于具有不同 user_id 的 Customer 模型中,不会返回。
希望这有帮助。
编辑:记住将 user_id 添加到允许的参数中。
I know this is old but I had the exact same problem and was stumped until just now. I ended up with a much simpler solution for anyone else looking.
In my example the current_user creates a job, and that job needs a customer assigned to it (one also belonging to the current user). jQuery UI autocomplete is used to search customers, and of course I only want customers that belong to the current user to be assignable to the job being created, much the same as in the original question. My final solution was simply to add a hidden field for the user_id to the new job form, populated with the user_id when the new action is called.
This way in the model, we can grab the user_id with self.user_id (taking the value in the hidden field) and then use it as part of our search criteria for the lookup. I have assigned self.user_id to variable 'user' for readability.
Simple as that, now unless both the search term (in this case :fullname), and the user_id are a match in the Customer model, no result is returned and the user is required to try again, even if a record with the same fullname exists in the Customer model with a different user_id, it wont be returned.
Hope this helps.
Edit: Remember to add user_id to permitted params.