允许非管理员在狂欢后端创建订单

时间:2015-11-18 09:53:54

标签: spree cancancan spree-auth-devise

我想创建一个角色,而不是可以在狂欢后端创建订单的管理员,但我找不到我需要为该用户激活的操作组合。我尝试添加默认用户权限并允许:manage Order,LineItem,Product,Variant的角色取消成功。现在,角色可以创建新订单,但是当我搜索要添加到购物车的产品时,API控制器将不允许它。

更新: 我尝试禁用API Spree::Api::Config[:requires_authentication] = false的身份验证,它解决了问题。所以这绝对是API身份验证的问题。

我正在使用solidus,它是spree 2.4

的分支
can_be_like_customer
can :manage, Spree::Order
can :manage, Spree::LineItem
can :manage, Spree::Product
can :manage, Spree::Variant

  def can_be_like_customer
    can :display, Spree::Country
    can :display, Spree::OptionType
    can :display, Spree::OptionValue
    can :create, Spree::Order
    can [:read, :update], Spree::Order do |order, token|
      order.user == user || order.guest_token && token == order.guest_token
    end
    can :display, Spree::Product
    can :display, Spree::ProductProperty
    can :display, Spree::Property
    can :create, Spree.user_class
    can :display, Spree::State
    can :display, Spree::Taxon
    can :display, Spree::Taxonomy
    can :display, Spree::Variant
    can :display, Spree::Zone
  end

从终端登录

Processing by Spree::Api::VariantsController#index as JSON
  Parameters: {"q"=>{"product_name_or_sku_cont"=>"bag"}, "token"=>"", "in_stock_only"=>"true", "_"=>"1447839886731"}
  Spree::User Load (0.4ms)  SELECT  "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."spree_api_key" = $1 LIMIT 1  [["spree_api_key", ""]]
  Rendered /Users/harins/.rbenv/versions/2.2.1/lib/ruby/gems/2.2.0/gems/solidus_api-1.0.2/app/views/spree/api/errors/must_specify_api_key.v1.rabl (0.7ms)
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 1778ms (Views: 1775.1ms | ActiveRecord: 0.4ms)

2 个答案:

答案 0 :(得分:2)

您需要覆盖spree功能并在initialize方法中添加角色条件。在该方法中添加以下代码

# for orders
can :admin, Order
can [:modify, :display], Order
can [:create, :cart], Order
can [:admin, :display, :modify], LineItem
can [:admin, :display, :modify], Adjustment
can [:admin, :display, :modify], Payment
can [:admin, :display, :modify], ReturnAuthorization
can [:admin, :display, :modify], CustomerReturn

# for products

can :admin, Product
can [:modify, :display, :stock], Product
can :create, Product
can [:admin, :manage], Image
can [:admin, :manage], Variant
can [:admin, :manage], ProductProperty
can [:admin, :modify], OptionType

答案 1 :(得分:0)

原来我创建的管理员用户没有生成API。不得不在admin部分找到该用户并使用superadmin帐户生成API密钥(spree@example.com)。