有没有办法在Cancan嵌套资源能力中访问父对象?

时间:2014-03-06 12:13:30

标签: ruby-on-rails cancan

我有一个嵌套资源,我正在使用Cancan进行授权。我需要能够访问父对象,以便能够授权子进程的:index操作(因为没有为:index操作传递子实例)。

# memberships_controller.rb
class MembershipsController < ApplicationController
  ...
  load_and_authorize_resource :org
  load_and_authorize_resource :membership, through: :org
  ..
end

ability.rb

can [:read, :write], Membership do |membership|
  membership.org.has_member? user
end

这不适用于:index action

不幸的是,索引操作没有与之关联的任何成员资格实例,因此您无法恢复以检查权限。

为了检查权限,我需要询问父对象(组织)并询问当前用户是否是成员,例如。

# ability.rb
...
can :index, Membership, org: { self.has_member? user }

康康几乎让我​​这样做......

Cancan声明您可以使用以下机制访问父级的属性: https://github.com/ryanb/cancan/wiki/Nested-Resources#wiki-accessing-parent-in-ability

# in Ability
can :manage, Task, :project => { :user_id => user.id }

然而,这只是通过比较对我的情况不起作用的属性。

我如何访问父对象本身?

有没有办法在权限内访问父对象本身?

2 个答案:

答案 0 :(得分:4)

我最近遇到了同样的问题并最终得到以下结果(假设您有Org型号):

class MembershipsController < ApplicationController
  before_action :set_org, only: [:index, :new, :create] # if shallow nesting is enabled (see link at the bottom)
  before_action :authorize_org, only: :index

  load_and_authorize_resource except: :index

  # GET orgs/1/memberships
  def index
    @memberships = @org.memberships
  end

  # ...

private

  def set_org
    @org = Org.find(params[:org_id])
  end

  def authorize_org
    authorize! :access_memberships, @org
  end

end

ability.rb:

can :access_memberships, Org do |org|
  org.has_member? user
end

有用的链接

https://github.com/ryanb/cancan/issues/301

http://guides.rubyonrails.org/routing.html#shallow-nesting

答案 1 :(得分:1)

你不能做这样的事吗?

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    can :index, Membership, org: {id: user.memberships.map(&:org_id)}
  end
end