为什么cancancan不允许我访问某些页面?

时间:2016-04-07 20:45:01

标签: ruby-on-rails ruby devise cancancan

我正在尝试创建简单的QA论坛。我使用devise进行身份验证,并决定使用cancancan进行授权。

Ability.rb:

class Ability
  include CanCan::Ability
    def initialize(user)
        can :read, :all

        if user && user.role?(:admin)
            can :access, :rails_admin
            can :dashboard
            can :manage, :all
        elsif user && user.role?(:user)
            can :create, [Post, Comment]
            can :update, Post, user_id: user.id
            can :update, User, id: user.id
            can [:update, :destroy], Comment, user_id: user.id
        elsif user && user.role?(:moderator)
            can [:create, :update, :destroy], [Post, Comment]
        end
    end
end

发布控制器:

class PostsController < ApplicationController
  before_action :authenticate_user!, except: [:index, :show]
  load_and_authorize_resource

  def index
    @posts = Post.all.order('created_at DESC')
  end

  def withtag
    if params[:tag]
      @posts = Post.tagged_with(params[:tag]).order('created_at DESC')
      @tagname = params[:tag]
      @tag = Tag.find_by_name(params[:tag])
    end
  end

  def usernews
    @posts = []
    allPosts = Post.all.order('created_at DESC')
    userTags = current_user.subscribed_tags.map(&:name)
    allPosts.each do |post|
      postTags = post.tag_list.split(',')
      userTags.each do |tag|
        if postTags.include?(tag)
          @posts.push(post)
          break
        end
      end
    end
  end

  def userposts
    @user = User.find(params[:id])
    @posts = Post.where(user_id: @user.id).order('created_at DESC')
  end

  def new
    @post = Post.new
  end

  def create
    @post = current_user.posts.build(post_params)
    @post.user_id = current_user.id

    if @post.save
     redirect_to @post
    else
      render 'new'
    end
  end

  def show
    @post = Post.find(params[:id])
  end

  def edit
    @post = Post.find(params[:id])
  end

  def update
    @post = Post.find(params[:id])

    if @post.update(post_params)
      redirect_to @post
    else
      render 'edit'
    end
  end

  def destroy
    @post = Post.find(params[:id])
    @post.destroy

    redirect_to root_path
  end

  private
    def post_params
      params.require(:post).permit(:title, :body, :image, :tag_list)
    end
end

当我尝试访问用户新闻并查看所有新帖子,标记有我已订阅的标签,或者查看由某些用户创建的所有帖子时,我收到错误,那说

  

您无权访问此页面

如果用户角色不是管理员且他不能

,则会发生这种情况
  

:manage,:all

如何修复它并为用户和版主提供对此页面的访问权限,而无需使用:manage。

P.S。:你能说我吗,我使用的是rails_admin吗? 

RailsAdmin.config do |config|
  config.authenticate_with do
    warden.authenticate! scope: :user
  end
  config.current_user_method(&:current_user)
  config.authorize_with :cancan
end

1 个答案:

答案 0 :(得分:0)

试试这个:

class Ability
  include CanCan::Ability
    def initialize(user)
        if user
            can :access, :rails_admin
            can :dashboard
            if user.role == :admin
               can :manage, :all
            elsif user.role == :user
               can :create, [Post, Comment]
               can :update, Post, user_id: user.id
               can :update, User, id: user.id
               can [:update, :destroy], Comment, user_id: user.id
               can :read, :all 
            elsif user.role == :moderator
              can :read, :all 
              can [:create, :update, :destroy], [Post, Comment]
           end
       end
    end
end
相关问题
最新问题