我已经安装了cancan和devise。现在它只是限制用户登录和某些控制器。我想扩展权限,用户只能访问他们所在公司的记录:
*邮寄者正在向潜在客户邮寄
* Customer_order当然是客户订单。
user.company_id == mailers.company_id
OR user.company.id == customer_order.company_id
如果匹配则用户可以对这些记录执行CRUD。
答案 0 :(得分:0)
只需检查before_filter中的权限即可。
如果您有companies_controller,可以这样做:
before_filter :check_permission, only: [:show, :new, :create] # and all the actions you want to protect
# Your actions
private
def check_permission
# current_user is available if you're using Devise
# you have to set mailers somehow, maybe with another filter
unless current_user.company_id == @mailers.company_id
redirect_to root_path
end
end