cancan 验证表单值
有没有办法用cancan授权表单元素?下面的代码有一个代理商选择框,它只列出当前用户可以访问的代理商,但有人可以编辑表单并更改代理商的 ID,这样他就可以将品牌添加到另一个代理商。有没有办法在 cancan 中限制这些类型的东西,如果没有,我如何检查值?
can :read, Agency, :id => user.agencies_as_admin
can :create, Brand
形式
<%= form_for(@brand) do |f| %>
<%= f.label :name %><br />
<%= f.text_field :name %>
<%= f.label :agency_id %><br />
<%= f.collection_select :agency_id, Agency.accessible_by(current_ability), :id, :name %>
<%= f.submit %>
<% end %>
Is there a way to authorize form elements with cancan? The code below has a select box for agencies and it only lists agencies which are accessible by current user but someone can edit form and change id of the agency that way he can add brand to another agency. Is there a way to restrict these types of things in cancan, if not how can i check values ?
can :read, Agency, :id => user.agencies_as_admin
can :create, Brand
form
<%= form_for(@brand) do |f| %>
<%= f.label :name %><br />
<%= f.text_field :name %>
<%= f.label :agency_id %><br />
<%= f.collection_select :agency_id, Agency.accessible_by(current_ability), :id, :name %>
<%= f.submit %>
<% end %>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您将无法阻止用户故意向您的应用程序发送未经授权的数据,因此在实际创建品牌资源之前,您必须检查更新中的授权并创建控制器的操作。像这样的东西
You won't be able to prevent users from intentionally sending unauthorized data to your application, so you will have to check the authorization in the update and create actions of the controller, before actually creating the brand resource. Something like