Ruby on Rails中cancancan authorize_resource为何不按预期授权资源?
- 内容介绍
- 文章标签
- 相关推荐
本文共计380个文字,预计阅读时间需要2分钟。
我收到的是一个关于`cancancan`权限控制库的Ruby代码片段。以下是对其进行简化改写的内容,不超过100字:
ruby简化版cancancan授权行为class Ability include CanCan::Ability def initialize(user) # 初始化用户权限 endend
我收到一个简单的cancancan授权的意外行为.ability.rb
class Ability include CanCan::Ability def initialize(user) # Define abilities for the passed in user here. For example: # user ||= User.new # guest user (not logged in) if user.is_admin? can :manage, :all elsif user.is_standard? can :manage, ServiceOrder, {user_id: user.id} can :manage, ServiceOrderDetail, :service_order => { :user_id => user.id } end
service_order.rb控制器(部分显示)
class ServiceOrdersController < ApplicationController authorize_resource def show @service_order = ServiceOrder.includes(:service_order_details).find(params[:id]) end end
这不起作用,因为它让控制器显示任何service_order记录,而不仅仅是current_user拥有的记录.
这种方法的唯一方法是,如果我手动授权控制器添加:
authorize! :show, @service_order
像这样:
def show @service_order = ServiceOrder.includes(:service_order_details).find(params[:id]) authorize! :show, @service_order end
这是没有意义的,因为authorize_resource应该这样做.
发生的事情是authorize_resource在show动作之前发生,并且由于@service_order尚未设置,它正在检查类,并且用户确实有权在约束下显示ServiceOrder.Adding authorize_resource will install a before_action callback that calls authorize!, passing the resource instance variable if it exists. If the instance variable isn’t set (such as in the index action) it will pass in the class name. For example, if we have a ProductsController it will do this before each action.
authorize!(params[:action].to_sym, @product || Product)
from Cancancan documentations
你需要做的是按照widjajayd的建议加载load_and_authorize_resource.或者(如果您不想使用cancancan默认加载操作)执行before_filter,在authorize_resource调用之前使用您的自定义方法手动加载资源.
本文共计380个文字,预计阅读时间需要2分钟。
我收到的是一个关于`cancancan`权限控制库的Ruby代码片段。以下是对其进行简化改写的内容,不超过100字:
ruby简化版cancancan授权行为class Ability include CanCan::Ability def initialize(user) # 初始化用户权限 endend
我收到一个简单的cancancan授权的意外行为.ability.rb
class Ability include CanCan::Ability def initialize(user) # Define abilities for the passed in user here. For example: # user ||= User.new # guest user (not logged in) if user.is_admin? can :manage, :all elsif user.is_standard? can :manage, ServiceOrder, {user_id: user.id} can :manage, ServiceOrderDetail, :service_order => { :user_id => user.id } end
service_order.rb控制器(部分显示)
class ServiceOrdersController < ApplicationController authorize_resource def show @service_order = ServiceOrder.includes(:service_order_details).find(params[:id]) end end
这不起作用,因为它让控制器显示任何service_order记录,而不仅仅是current_user拥有的记录.
这种方法的唯一方法是,如果我手动授权控制器添加:
authorize! :show, @service_order
像这样:
def show @service_order = ServiceOrder.includes(:service_order_details).find(params[:id]) authorize! :show, @service_order end
这是没有意义的,因为authorize_resource应该这样做.
发生的事情是authorize_resource在show动作之前发生,并且由于@service_order尚未设置,它正在检查类,并且用户确实有权在约束下显示ServiceOrder.Adding authorize_resource will install a before_action callback that calls authorize!, passing the resource instance variable if it exists. If the instance variable isn’t set (such as in the index action) it will pass in the class name. For example, if we have a ProductsController it will do this before each action.
authorize!(params[:action].to_sym, @product || Product)
from Cancancan documentations
你需要做的是按照widjajayd的建议加载load_and_authorize_resource.或者(如果您不想使用cancancan默认加载操作)执行before_filter,在authorize_resource调用之前使用您的自定义方法手动加载资源.