Ruby on rails 不能像我期望的那样加载嵌套资源
当用户登录时,Cancan工作正常。但是,当用户是“来宾”时,我希望他们能够看到一些照片,但不能看到照片的父帖子设置了限制的照片Ruby on rails 不能像我期望的那样加载嵌套资源,ruby-on-rails,ruby-on-rails-3.1,cancan,nested-resources,Ruby On Rails,Ruby On Rails 3.1,Cancan,Nested Resources,当用户登录时,Cancan工作正常。但是,当用户是“来宾”时,我希望他们能够看到一些照片,但不能看到照片的父帖子设置了限制的照片employees\u onlyflag 问题是,如果在@photos数组中有任何仅与员工帖子相关的照片,则Cancan将在PhotosController#index中抛出Cancan::AccessDenied。但是,控制器中的是否应该加载并授权\u资源:photo,:through=>:event从@photos中删除那些未经授权的记录 能力.rb class A
employees\u only
flag
问题是,如果在@photos
数组中有任何仅与员工
帖子相关的照片,则Cancan将在PhotosController#index中抛出Cancan::AccessDenied。但是,控制器中的是否应该加载并授权\u资源:photo,:through=>:event
从@photos
中删除那些未经授权的记录
能力.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.role? :admin
can :manage, :all
elsif user.role? :moderator
can :read, :all
can :manage, Post
can :manage, Event
elsif user.role? :employee
can :read, :all
can :create, Post
can :update, Post, :user_id => user.id
can :destroy, Post, :user_id => user.id
can :update, User, :id => user.id
can :create, Photo
can :update, Photo, :id => user.id
can :destroy, Photo, :id => user.id
else
can :read, :all
cannot :read, Post, :employee_only => true
cannot :read, Photo, :post => { :employee_only => true } ## <- problem?
end
end
end
类能力
包括CanCan::能力
def初始化(用户)
user | |=user.new#来宾用户(未登录)
如果user.role?:管理
can:manage,:all
elsif user.role?:调解人
can:read,:all
can:管理、发布
can:管理、事件
elsif user.role?:雇员
can:read,:all
can:创建、发布
can:update,Post,:user\u id=>user.id
can:destroy,Post,:user\u id=>user.id
can:update,User,:id=>User.id
can:创建、拍照
can:update,Photo,:id=>user.id
can:destroy,Photo,:id=>user.id
其他的
can:read,:all
无法:读取、发布、:employee_only=>true
无法:读取,照片,:post=>{:employee_only=>true}
post.rb
class Post < ActiveRecord::Base
belongs_to :user
belongs_to :event
has_many :photos, :dependent => :destroy
class Post:销毁
控制器的照片:
class PhotosController < ApplicationController
load_and_authorize_resource :event ## <- problem?
load_and_authorize_resource :photo, :through => :event ## <- problem?
def index
# @event = Event.find(params[:event_id])
# @photos = @event.photos.all
respond_to do |format|
format.html # index.html.erb
format.json { render json: @events }
end
end
...
class photocontroller
首先,在您的能力文件中删除
cannot :read, Photo, :post => { :employee_only => true } ## <- problem?
我相信你要做的是通过帖子加载照片——因为帖子只限于那些employee_only=false的人,所以你是在含蓄地限制照片。然后,在照片控制器中,您需要加载帖子,以便可以使用它来加载和授权照片。在cancan(我想)中应该发生的是,在posts.employee_only=false的情况下,帖子和照片之间会进行内部连接。cancan是否失宠了&我没有收到备忘录?
class User < ActiveRecord::Base
attr_protected :roles_mask
has_many :posts
has_many :photos, :through => :posts
...
cannot :read, Photo, :post => { :employee_only => true } ## <- problem?
load_and_authorize_resource :event ## <- problem?
load_and_authorize_resource :photo, :through => :event ## <- problem?
load_and_authorize_resource :post
load_and_authorize_resource :photo, :through => :post