【问题标题】:CanCan is not authorizing a controller action when it will work just fine with accessible_by当 CanCan 可以与 access_by 一起正常工作时,它没有授权控制器操作
【发布时间】:2012-11-09 01:45:18
【问题描述】:

过去几天我一直在与 CanCan 作斗争,需要一些帮助。我的用户应该能够访问他们或他们的团队成员创建的联系人。我为此设置了一项功能,它适用于收集数据(CanCan 将索引限制为只能通过“accessable_by”查看的联系人),但是当您单击联系人时,CanCan 会引发“未授权”错误。

我查看了 Contacts 表本身,可以验证 current_user 与我单击的联系人具有相同的 team_id,所以它看起来应该可以工作,但它没有。

感谢您提供的任何帮助。

这是ability.rb文件:

    class Ability
    include CanCan::Ability

    def initialize(user)
        # Define abilities for the passed in user here. For example:
        #

        user ||= User.new # guest user (not logged in)

        case user.role
            when "admin"        then 
              can :manage, :all
            when "team_admin"   then
              can :manage, Team,        :team => { :id => user.team_id }
              can :manage, Upload,      :team => { :id => user.team_id }
              can :manage, Property,    :team => { :id => user.team_id }
              can :manage, Contact,     :team => { :id => user.team_id }
              can :manage, Appointment, :team => { :id => user.team_id }
            when "user"         then                   
              can :manage, Team,        :team => { :id => user.team_id }
              can :manage, Upload,      :team => { :id => user.team_id }
              can :manage, Property,    :team => { :id => user.team_id }
              can :manage, Contact#,    :team => { :id => user.team_id }
              can :manage, Appointment, :team => { :id => user.team_id }
              can :read, User,          :user => { :id => user.id}

              can :create, Team     
              can :create, Upload       
              can :create, Property     
             # can :create, Contact 
              can :create, Appointment

              can :index, Property  
             # can :index, Contact  
        end

            # if user.role == "admin"
            #   can :manage, :all
            # else
            #   can :read, :all
            # end

        #
        # The first argument to `can` is the action you are giving the user permission to do.
        # If you pass :manage it will apply to every action. Other common actions here are
        # :read, :create, :update and :destroy.
        #
        # The second argument is the resource the user can perform the action on. If you pass
        # :all it will apply to every resource. Otherwise pass a Ruby class of the resource.
        #
        # The third argument is an optional hash of conditions to further filter the objects.
        # For example, here the user can only update published articles.
        #
        #   can :update, Article, :published => true
        #
        # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
    end
end

这是我的联系人控制器中的显示操作:

  def show
    @contact = Contact.find(params[:id])
    authorize! :show, @contact

    respond_to do |format|
      format.html # show.html.erb
      format.json { render json: @contact }
    end


  end

这是用户模型:

class User < ActiveRecord::Base

  has_secure_password
  attr_accessible :email, :password, :password_confirmation, :first_name, :last_name, :team_id, :role

  belongs_to :team
  has_many :appointments
  has_many :contacts
  has_many :properties

  ROLES = %w[admin group_admin user disabled]

  validates_uniqueness_of :email

  before_create { generate_token(:auth_token) }

  def send_password_reset
    generate_token(:password_reset_token)
    self.password_reset_sent_at = Time.zone.now
    save!
    UserMailer.password_reset(self).deliver
  end

  def generate_token(column)
    begin
      self[column] = SecureRandom.urlsafe_base64
    end while User.exists?(column => self[column])
  end

end

这是联系人模型:

class Contact < ActiveRecord::Base
  attr_accessible :address_1, :address_2, :city, :first_name, :last_name, :state, :zip, :team_id
  has_and_belongs_to_many :properties
  belongs_to :user
  belongs_to :team
  has_many :appointments
end

最后,这里是团队模型:

class Team < ActiveRecord::Base
  attr_accessible :team_name

  has_many :users
  has_many :appointments
  has_many :contacts
  has_many :properties
end

【问题讨论】:

    标签: ruby-on-rails cancan


    【解决方案1】:

    试试这个:

    when "user"         then  
      ...
      can :manage, Contact, user_id: user.id, team_id: user.team.id
      ...
      can :create, Contact
      ...
    

    【讨论】:

    • 成功了!谢谢!说真的,谢谢。现在,为什么这有效? (我最初使用的语法是 CanCan wiki 中显示的)
    • 嗯,很高兴听到这个消息,感谢您的接受。可以允许你定义一个Hash of conditions。看看就明白了。
    • 我之前做过:can :manage, Contact, team_id: user.team_id 为什么这不起作用? (我是 Rails/Ruby 新手)
    • 它会起作用,它只允许用户管理他们团队的联系人。再检查一遍
    • 是的......但它没有。很奇怪——“accessible_by”起作用了——它收集了预期的记录,但“授权”不起作用——点击accessible_by查询的记录之一会使CanCan抛出“拒绝访问”错误。我的模型(上图)中有什么会导致这种情况的吗?
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2011-07-17
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多