Ruby on rails 要插入语句的Rails组id
我正在尝试将组(int)添加到我的workorder\u控制器。我想将所有工作订单数据存储在同一个表中,但使用Desive根据组而不是用户id筛选结果。这个想法是,用户可以看到所有的用户条目,只有他们的组。如果有更好的方法,请让我知道 我考虑过使用: 看起来好像工作不正常 我也试着遵循这一点也不会带来好运: workorder\u controller.rbRuby on rails 要插入语句的Rails组id,ruby-on-rails,devise,Ruby On Rails,Devise,我正在尝试将组(int)添加到我的workorder\u控制器。我想将所有工作订单数据存储在同一个表中,但使用Desive根据组而不是用户id筛选结果。这个想法是,用户可以看到所有的用户条目,只有他们的组。如果有更好的方法,请让我知道 我考虑过使用: 看起来好像工作不正常 我也试着遵循这一点也不会带来好运: workorder\u controller.rb class WorkordersController < ApplicationController before_acti
class WorkordersController < ApplicationController
before_action :authenticate_user!
load_and_authorize_resource
before_action :set_workorder, only: [:show, :edit, :update, :destroy]
# GET /workorders
# GET /workorders.json
def index
@workorders = Workorder.where(group: current_user.group)
end
# GET /workorders/1
# GET /workorders/1.json
def show
end
# GET /workorders/new
def new
@workorder = current_user.workorders.build
end
# GET /workorders/1/edit
def edit
end
# POST /workorders
# POST /workorders.json
def create
@workorder = current_user.workorders.build(workorder_params)
respond_to do |format|
if @workorder.save
format.html { redirect_to @workorder, notice: 'Workorder was successfully created.' }
format.json { render :show, status: :created, location: @workorder }
else
format.html { render :new }
format.json { render json: @workorder.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /workorders/1
# PATCH/PUT /workorders/1.json
def update
respond_to do |format|
if @workorder.update(workorder_params)
format.html { redirect_to @workorder, notice: 'Workorder was successfully updated.' }
format.json { render :show, status: :ok, location: @workorder }
else
format.html { render :edit }
format.json { render json: @workorder.errors, status: :unprocessable_entity }
end
end
end
# DELETE /workorders/1
# DELETE /workorders/1.json
def destroy
@workorder.destroy
respond_to do |format|
format.html { redirect_to workorders_url, notice: 'Workorder was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_workorder
@workorder = Workorder.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def workorder_params
params.require(:workorder).permit(:contractor_id, :description, :estimatedtime, :startdate, :completiondate, :budgetoverhead, :group)
end
end
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up) { |u| u.permit( :email,:password,:group ,:password_confirmation, roles: []) }
end
end
class Ability
include CanCan::Ability
def initialize(user)
# Define abilities for the passed in user here. For example:
#
user ||= User.new
if user.has_role? :admin
can :manage, :all
elsif user.has_role? :client
#workorders
can :create, Workorder
can :update, Workorder
can :destroy, Workorder
can :read, :all #can read all items bound only to the user login not all users
else user.has_role? :contractor
#workorders
can :create, Workorder
can :update, Workorder
can :destroy, Workorder
can :read, :all #can read all items bound only to the user login not all users
end
#
# The first argument to `can` is the action you are giving the user
# permission to do.
# If you pass :manage it will apply to every action. Other common actions
# here are :read, :create, :update and :destroy.
#
# The second argument is the resource the user can perform the action on.
# If you pass :all it will apply to every resource. Otherwise pass a Ruby
# class of the resource.
#
# The third argument is an optional hash of conditions to further filter the
# objects.
# For example, here the user can only update published articles.
#
# can :update, Article, :published => true
#
# See the wiki for details:
# https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
end
end
控制台的输出:
Started POST "/workorders" for 127.0.0.1 at 2017-10-19 18:21:18 -0500
Processing by WorkordersController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"XXXXXtoken hereXXXXX", "workorder"=>{"contractor_id"=>"1", "description"=>"qadsddas", "estimatedtime"=>"111", "startdate(1i)"=>"2017", "startdate(2i)"=>"10", "startdate(3i)"=>"19", "completiondate(1i)"=>"2017", "completiondate(2i)"=>"10", "completiondate(3i)"=>"19", "budgetoverhead"=>"1111"}, "commit"=>"Create Workorder"}
User Load (0.7ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 2 ORDER BY `users`.`id` ASC LIMIT 1
(3.4ms) BEGIN
Contractor Load (0.8ms) SELECT `contractors`.* FROM `contractors` WHERE `contractors`.`id` = 1 LIMIT 1
(0.3ms) ROLLBACK
Rendering workorders/new.html.erb within layouts/application
Contractor Load (0.7ms) SELECT `contractors`.* FROM `contractors` WHERE `contractors`.`group` = 1
Rendered workorders/_form.html.haml (27.3ms)
Rendered workorders/new.html.erb within layouts/application (32.2ms)
Completed 200 OK in 136ms (Views: 99.4ms | ActiveRecord: 5.9ms)
为了限制访问与当前用户的
组匹配的工单,我将进行以下修改:
# Ensure the group of the work order always matches the current_user's group
def workorder_params
params.require(:workorder).permit(
:contractor_id, :description, :estimatedtime,
:startdate,:completiondate, :budgetoverhead
).merge(group: current_user.group)
end
上述操作将确保分配当前用户的组
到相关的工作订单
要确保所选工作顺序与组匹配
请修改以下内容:
def set_workorder
@workorder = Workorder.where(id: params[:id], group: current_user.group).first
end
您还可以通过将限制添加到ability.rb
来限制对当前用户的组的访问。例如:
can :update, Workorder, group: user.group
编辑:删除了对创建
方法的修改。您不需要使用设计组
或“将组id添加到注释”。您在此处发布的代码是正确的。具体来说,什么是不起作用的?你有错误吗?您是否试图确保用户只能访问(即创建、读取、更新、删除)属于其组的工单?此外,我可以从load\u和\u authorize\u resource
判断您正在使用CanCanCancan。如果您发布您的能力.rb
模型,这将非常有用。返回的内容不会按组进行“筛选”。一旦我弄明白了这一点,我仍然不知道如何在创建过程中将其包含在参数中。用户id似乎没有问题将自己附加到create方法。试图弄清楚为什么团队不会这么做。我相信这很简单,但我不能把我的大脑放在这上面,明白了吗。我会发布一个答案。CanCanCan的加载和授权资源
已经将记录加载为@workorder
。您的before\u操作:set\u workorder
会对每个请求进行额外查询。如果你不相信我,请检查你的日志。它会按组过滤数据,但参数仍然不会出现在newHmm中。我建议将byebug
添加到您的创建方法中,并检查workorder\u参数的结果。包括团体吗?您还可以使用byebug控制台执行@workorder=workorder.new(workorder\u参数)
,查看是否存在任何错误。您也可以尝试暂时删除load_和\u authorize_资源
,以查看CanCanCan是否造成问题。我编辑了答案…经过一些测试后,我认为您不需要修改创建
方法。将组
合并到工作顺序参数
中应该是关键。宾果!更改了我的创建方法回来,它的工作!非常感谢。我只需要CCANCANCAN来解决,但我可以这么做。对于ChanaCCAN,您可能会考虑用<代码> > AudiiSeIsRease<代码>来替换<代码> Load和AuthigiSeReals<代码>,因为您正在手动加载。或者您可以删除加载/构建您的@workorder
的代码,因为加载和授权资源应为您解决此问题。你可能需要进行实验。