CanCanCan和ForbiddenAttributesError

时间:2014-10-03 12:39:34

标签: ruby-on-rails cancan

我使用CanCanCan和Rails 4,因此每个操作都由load_and_authorize_resource方法授权。一切都有效,除了创建动作,它失败并出现错误:ActiveModel :: ForbiddenAttributesError

我认为问题出现在CanCan中,因为'create'在没有'load_and_authorize_resource'的情况下工作正常。

class BuildingsController < ApiController
  load_and_authorize_resource
  PERMITTED_PARAMS = [:name, :description, deal_info_attributes: [:for_rent, :for_sale, :available_from]] 

  def create
    building = Building.new(create_params.permit(PERMITTED_PARAMS))
    building.author_id = current_user.id if user_signed_in?

    if building.save
      render json: building
    else
      render json: { errors: building.errors }, status: :bad_request
    end
  end
end

class ApiController < ActionController::API
  def create_params
    params.require(controller_name.classify.downcase.to_sym)
  end
end

测试:

describe "POST /buildings" do
  let(:attrs) { attributes_for(:building) }
  let(:deal_info_attributes) { attributes_for(:deal_info) }

  it "creates right building" do
    api_post "/buildings", building: attrs.merge({ name: "SomeBC", deal_info_attributes: deal_info_attributes })
    expect(response).to be_success
  end
end

型号:

class Building < ActiveRecord::Base
  accepts_nested_attributes_for :deal_info
  has_one :deal_info, as: :deal_infoable, dependent: :destroy
  # deal_info is polymorphic
end

能力:

class Ability
  include CanCan::Ability

  def initialize(user, ip=nil)
    user ||= User.new # guest user (not logged in)

    if user.roles.blank?
      can :read, :all
    elsif has_local_role?(user) && has_local_ip?(user, ip)
      create_permissions(user)
    elsif has_local_role?(user) && !has_local_ip?(user, ip)
      raise CanCan::AccessDenied
    else
      create_permissions(user)
    end
  end

private

  def create_permissions(user)
    # Permissions example: { 'can' => [{ 'read' => 'all' }, { 'update' => 'room' }], 'cannot' => { 'create' => 'building' } }
    user.roles.each do |role|
      role.permissions.each do |rights, value|
        # Check for the value length is a 'fix' for parsing nested json, e.g. [{},{}]
        value.length > 1 ? value.each{ |v| parse_permissions(rights, v, user) } : parse_permissions(rights, value, user)
      end
    end
  end

  def parse_permissions(rights, value, user)
    value.each do |action, subject|
      case rights
      when "can"
        subject == 'all' ? (can action.to_sym, :all) : (can action.to_sym, subject.classify.constantize)
      when "cannot"
        subject == 'all' ? (cannot action.to_sym, :all) : (cannot action.to_sym, subject.classify.constantize)
      when "only_own"
        can action.to_sym, subject.classify.constantize, subject.classify.constantize.where(author_id: user.id) do |subj|
          subj.author_id == user.id
        end  
      end
    end
  end

  # has_local_role and has_local_ip not relevant to the problem.
end

2 个答案:

答案 0 :(得分:0)

问题出现在.permit中,我不得不将它直接添加到create_params方法中。

class ApiController < ActionController::API
  def create_params
    params.require(controller_name.classify.downcase.to_sym).permit(self.class::PERMITTED_PARAMS)
  end
end

答案 1 :(得分:0)

我的控制器中有 AdjustmentTask 模型和 adj_task_params。 它在重命名 params 方法后开始工作,如模型名称:tcfto_adjustment_params