我无法使用装备和载波装载板3.2来实现宝石罐头。
目前,我希望用户只能将图片上传到他们自己的用户页面(显示)。目前,我有一个包含所有注册用户的用户索引页面。我可以进入其中的每一个,并仅使用用户角色(而不是管理员)为每个配置文件添加图像。我只希望能够将此作为我自己的个人资料,并且实际上只能阅读其他个人资料页面(减去添加照片链接)。我的代码如下:
class Ability
include CanCan::Ability
def initialize(user)
# Define abilities for the passed in user here. For example:
#
user ||= User.new # guest user (not logged in)
if user.has_role? :user
can :read, User
can [:new, :create] , Photo, user_id: user.id
end
end
class UsersController < ApplicationController
before_filter :authenticate_user!
def index
@users = User.all
end
def show
@user = User.find(params[:id])
@photo = Photo.new(params[:user_id])
end
end
class PhotosController < ApplicationController
before_filter :authenticate_user!
def new
@photo = Photo.new(:user_id => params[:user_id])
authorize! :new, @photo
end
def create
@photo = Photo.new(params[:photo])
if @photo.save
flash[:notice] = "Successfully created photo."
redirect_to @photo.user
else
render :action => 'new'
end
authorize! :create, @photo
end
def edit
@photo = Photo.find(params[:id])
end
def update
@photo = Photo.find(params[:id])
authorize! :update, @user
if @photo.update_attributes(params[:photo])
flash[:notice] = "Successfully updated photo."
redirect_to @photo.user
else
render :action => 'edit'
end
end
def destroy
authorize! :destroy, @user
@photo = Photo.find(params[:id])
@photo.destroy
flash[:notice] = "Successfully destroyed photo."
redirect_to @photo.user
end
end
ActiveRecord::Schema.define(:version => 20130512100231) do
create_table "photos", :force => true do |t|
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.string "image"
t.integer "user_id"
end
create_table "posts", :force => true do |t|
t.string "title"
t.text "body"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
create_table "roles", :force => true do |t|
t.string "name"
t.integer "resource_id"
t.string "resource_type"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "roles", ["name", "resource_type", "resource_id"], :name => "index_roles_on_name_and_resource_type_and_resource_id"
add_index "roles", ["name"], :name => "index_roles_on_name"
create_table "users", :force => true do |t|
t.string "email", :default => "", :null => false
t.string "encrypted_password", :default => "", :null => false
t.string "reset_password_token"
t.datetime "reset_password_sent_at"
t.datetime "remember_created_at"
t.integer "sign_in_count", :default => 0
t.datetime "current_sign_in_at"
t.datetime "last_sign_in_at"
t.string "current_sign_in_ip"
t.string "last_sign_in_ip"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.string "name"
t.string "avatar"
t.string "image"
end
add_index "users", ["email"], :name => "index_users_on_email", :unique => true
add_index "users", ["reset_password_token"], :name => "index_users_on_reset_password_token", :unique => true
create_table "users_roles", :id => false, :force => true do |t|
t.integer "user_id"
t.integer "role_id"
end
add_index "users_roles", ["user_id", "role_id"], :name => "index_users_roles_on_user_id_and_role_id"
end
答案 0 :(得分:2)
这就是CanCan的用途。你已经安装了它,但是你还没有配置它。
can :manage, Photo, user_id: user.id
另请参阅:the manual
此外,您需要确保在要限制访问权限的每个控制器操作中调用authorize!
。例如:
authorize! :create, @photo
我更喜欢使用authorize_resource
or load_and_authorize_resource
来确保我没有错过任何操作,但只使用authorize!
将需要对代码进行最少的更改。