Ruby on rails 3.2 对嵌套资源进行授权时可能会出错

Ruby on rails 3.2 对嵌套资源进行授权时可能会出错,ruby-on-rails-3.2,cancan,Ruby On Rails 3.2,Cancan,我正在尝试设置对嵌套资源(专业)的访问权限,例如“../companys/:id/specialties”。进入不属于我的公司工作很好。但我不能进入我的专业。请帮帮我,因为我花了4个小时搜索解决方案,但没有任何结果。 我有以下资料: 坎坎1.6.9 //routes.rb resources :companies do resources :specialties end //能力.rb class Ability include CanCan::Ability def

我正在尝试设置对嵌套资源(专业)的访问权限,例如“../companys/:id/specialties”。进入不属于我的公司工作很好。但我不能进入我的专业。请帮帮我,因为我花了4个小时搜索解决方案,但没有任何结果。 我有以下资料:

坎坎1.6.9

//routes.rb
  resources :companies do
    resources :specialties
  end
//能力.rb

class Ability
  include CanCan::Ability

def initialize(user)
  user ||= User.new # guest user (not logged in)
  if user.super_admin?
    can :open, :admin_pages
  else
    cannot :open, :admin_pages
  end

  can [:edit, :update, :destroy], Company do |company|
    company.try(:admin) == user
  end

  can :manage, Specialty 
  end
end
//公司(u controller.rb)

class CompaniesController < ApplicationController
  load_and_authorize_resource
  def new
    @company = current_user.build_company
  end

  def create
    @company = current_user.build_company params[:company]
    if @company.save
      redirect_to root_path, notice: I18n.t('notices.company_successfully_created')
    else
      render :new
    end
  end

  def edit
    @company = Company.find params[:id]
  end

  def update
    @company = current_user.company
    if @company.update_attributes(params[:company])
      redirect_to root_path, notice: I18n.t('notices.company_successfully_updated')
    else
      render action: 'edit'
    end
  end

end
class SpecialtiesController < ApplicationController
  load_and_authorize_resource :company
  load_and_authorize_resource  through: :company

  before_filter :company, except: [:destroy]

  def index
    @specialties = @company.specialties
    respond_to do |format|
      format.json { 
        resource = params[:resource_type]=='user' ? User.new : Profile.new 
        render :json => {:success => true, :html => (render_to_string '_specialties_list.html.slim', :locals => {:resource => resource})} 
      }
      format.html {}
    end
  end

  def new
    @specialty = @company.specialties.build
  end

  def create
    @specialty = @company.specialties.build params[:specialty]
    if @specialty.save
      redirect_to company_specialties_path, notice: I18n.t('notices.specialty_successfully_created')
    else
      render :new
    end
  end

  def show
    @specialty = Specialty.find params[:id]
  end

  def edit
    @specialty = Specialty.find params[:id]
  end

  def update
    @specialty = Specialty.find params[:id]
    if @specialty.update_attributes(params[:specialty])
      redirect_to company_specialties_path, notice: I18n.t('notices.specialty_successfully_updated')
    else
      render action: 'edit'
    end
  end

  def destroy
    @specialty = Specialty.find(params[:id])
    @specialty.destroy
    redirect_to company_specialties_path
  end

  private

    def company
      @company = Company.find(params[:company_id])
    end

end
class CompaniesController
//超级控制器.rb

class CompaniesController < ApplicationController
  load_and_authorize_resource
  def new
    @company = current_user.build_company
  end

  def create
    @company = current_user.build_company params[:company]
    if @company.save
      redirect_to root_path, notice: I18n.t('notices.company_successfully_created')
    else
      render :new
    end
  end

  def edit
    @company = Company.find params[:id]
  end

  def update
    @company = current_user.company
    if @company.update_attributes(params[:company])
      redirect_to root_path, notice: I18n.t('notices.company_successfully_updated')
    else
      render action: 'edit'
    end
  end

end
class SpecialtiesController < ApplicationController
  load_and_authorize_resource :company
  load_and_authorize_resource  through: :company

  before_filter :company, except: [:destroy]

  def index
    @specialties = @company.specialties
    respond_to do |format|
      format.json { 
        resource = params[:resource_type]=='user' ? User.new : Profile.new 
        render :json => {:success => true, :html => (render_to_string '_specialties_list.html.slim', :locals => {:resource => resource})} 
      }
      format.html {}
    end
  end

  def new
    @specialty = @company.specialties.build
  end

  def create
    @specialty = @company.specialties.build params[:specialty]
    if @specialty.save
      redirect_to company_specialties_path, notice: I18n.t('notices.specialty_successfully_created')
    else
      render :new
    end
  end

  def show
    @specialty = Specialty.find params[:id]
  end

  def edit
    @specialty = Specialty.find params[:id]
  end

  def update
    @specialty = Specialty.find params[:id]
    if @specialty.update_attributes(params[:specialty])
      redirect_to company_specialties_path, notice: I18n.t('notices.specialty_successfully_updated')
    else
      render action: 'edit'
    end
  end

  def destroy
    @specialty = Specialty.find(params[:id])
    @specialty.destroy
    redirect_to company_specialties_path
  end

  private

    def company
      @company = Company.find(params[:company_id])
    end

end
class SpecialtiesController{:success=>true,:html=>(render_to_string'\u specialties_list.html.slim',:locals=>{:resource=>resource}
}
format.html{}
终止
终止
def新
@专业=@company.specialties.build
终止
def创建
@专业=@company.specialties.build params[:专业]
如果@speciality.save
重定向到公司专业路径,通知:I18n.t('notices.speciality\u successfully\u created')
其他的
渲染:新
终止
终止
def秀
@专业=专业。查找参数[:id]
终止
定义编辑
@专业=专业。查找参数[:id]
终止
def更新
@专业=专业。查找参数[:id]
如果@Speciality.update_属性(参数[:Speciality])
重定向到公司专业路径,通知:I18n.t('notices.speciality\u successfully\u updated')
其他的
渲染操作:“编辑”
终止
终止
def销毁
@专业=专业。查找(参数[:id])
@毁灭
重定向到公司路径
终止
私有的
def公司
@company=company.find(参数[:company\u id])
终止
终止

在您的能力文件中,您只为同一公司的管理员授予了[:编辑,:更新,:销毁]权限

当他试图访问specialities controller中的任何操作时,第一个加载和授权调用:company将尝试读取该公司。阅读该公司后,它将通过该公司查找该专业,并检查用户是否拥有对该专业的特定操作的权限

在这种情况下,用户拥有对专业的所有权限,但没有对公司的读取权限,因此问题就出现了

因此,使用:manage向公司管理员添加:读取权限或授予所有权限

can [:read, :edit, :update, :destroy], Company do |company|
  company.try(:admin) == user
end

是否有任何特定操作引发错误?什么是堆栈跟踪。使用pastebin粘贴堆栈跟踪并使用url回复,如果您打算这样做。例如(id=3的公司是我的)不授予访问权限,而我可以访问,我无法访问(正如我所期望的),因此我无法访问公司资源中嵌套的任何内容。我收到“您无权访问此页面”