如果不是管理员(Ruby on Rails),如何仅列出当前用户订单?

时间:2013-11-10 10:19:56

标签: ruby-on-rails devise ruby-on-rails-4 cancan

我对rails非常陌生,而我现在正在开发我的第一个rails应用程序,所以对某些人来说这可能是一个愚蠢的问题。我想让current_user只看到自己的订单,如果他们不是管理员。我能够设置只有管理员可以查看所有订单,但我很难让当前用户查看,列出和删除他们自己的订单。我的应用有:orders模型,belongs_to :users:users模型has_many :orders

这就是我的orders_controller.rb的样子:

class OrdersController < ApplicationController
  before_action :set_order, only: [:show, :edit, :update, :destroy]

  # GET /orders
  # GET /orders.json
  def index
    authorize! :index, @user, :message => 'Not authorized as an administrator.'
    @orders = Order.all
  end

  # GET /orders/1
  # GET /orders/1.json
  def show
  end

  # GET /orders/new
  def new
    @order = Order.new
  end

  # GET /orders/1/edit
  def edit
  end

  # POST /orders
  # POST /orders.json
  def create
    @order = Order.new(order_params)

    respond_to do |format|
      if @order.save
        format.html { redirect_to @order, notice: 'Order was successfully created.' }
        format.json { render action: 'show', status: :created, location: @order }
      else
        format.html { render action: 'new' }
        format.json { render json: @order.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /orders/1
  # PATCH/PUT /orders/1.json
  def update
    respond_to do |format|
      if @order.update(order_params)
        format.html { redirect_to @order, notice: 'Order was successfully updated.' }
        format.json { head :no_content }
      else
        format.html { render action: 'edit' }
        format.json { render json: @order.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /orders/1
  # DELETE /orders/1.json
  def destroy
    @order.destroy
    respond_to do |format|
      format.html { redirect_to orders_url }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_order
      @order = Order.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    def order_params
      params.require(:order).permit(:user_id, :drop_address)
    end
end

我的问题是如何仅允许当前用户列出并查看他们所做的所有订单?

由于

2 个答案:

答案 0 :(得分:3)

为您准备了名为cancan的宝石。 请阅读wiki page。 需要更多帮助?让我知道:))

定义能力

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.admin?
      can :manage, :all
    else
      can :read, Order, :user_id => user.id
    end
  end
end
来自accessible_by

的控制器查询

@orders = Order.accessible_by(current_ability)

答案 1 :(得分:1)

  1. 你必须在两个级别上完成。在索引中,您必须获取当前用户的订单,以便用户只能看到他的订单。第二级是您确保用户可以输入不属于他的订单网址,因此请在其他操作中进行检查(编辑,更新,删除,显示)。

  2. 或者您可以使用声明性授权gem。它非常有用https://github.com/stffn/declarative_authorization

    3. -hint:对于命名约定,更改belongs_to:用户将订单模型改为belongs_to:user(belongs_to总是单数)

    这就是你的控制器应该是这样的 

    #this is the filter called before each method to make sure the user is authorized to access the order
before_filter :authorize_user, :only => [:edit,:update,:delete,:show]

def index
  authorize! :index, @user, :message => 'Not authorized as an administrator.'
  #here fetch the orders of the current user only
  @orders = current_user.orders
end

#and then goes all your methods here as normal 

private 

def authorize_user
  unless current_user.eql?(@order.user)
    flash[:notice]="You are not authorized to access this order"
    redirect_to orders_path 
  end
end
相关问题
最新问题