在导轨应用中使用Cancancan宝石

时间:2017-06-20 03:34:51

标签: ruby-on-rails ruby ruby-on-rails-5 cancancan

我有一个管理所有注册用户的rails应用程序。所有crud操作都可以在注册用户的详细信息上完成。我现在需要限制应用程序,以便只允许管理员用户查看所有注册用户。任何没有管理员权限的用户都应该能够查看,编辑和删除他/她的帖子。我使用了devise gem进行身份验证,并计划使用cancancan gem进行授权。我只有一个名为Users的模型类,它包含一个文本属性(用于存储“Admin”或“Nonadmin”)。这是我的控制器代码:

class UsersController < ApplicationController
before_filter :authenticate_user!


    def index
        if current_user.role ==  "Admin"
          @users = User.all
        else
          @user = User.find(current_user.id)
       end
        redirect_to new_user_registration_path if current_user.nil?
        respond_to do |format|
          format.html
        end
      end

       def show
        if (User.all.pluck(:id).include?params[:id].to_i) == false
          flash[:notice] = "You cannot perform such an action"
        else
         @user = User.find(params[:id])
       end
         respond_to do |format|
            format.html
         end
       end

       def new
        @user = User.new
       end

       def create
        @user = User.new(user_params)

       if @user.save
          redirect_to :action => 'index'
       else
          render :action => 'new'
       end
       end

       def user_params
          params.require(:user).permit(:first_name, :last_name, :age, :biography, :email)
       end

       def edit
        if (User.all.pluck(:id).include?params[:id].to_i) == false
          flash[:notice] = "You cannot perform such an action"
        else
        @user = User.find(params[:id])
        end
        respond_to do |format|
          format.html
        end
       end

       def update
        params.inspect
        @user = User.find(params[:id])

       if @user.update_attributes(user_params)
          redirect_to :action => 'show', :id => @user
       else
          render :action => 'edit'
       end
       end

       def delete
        User.find(params[:id]).destroy
       redirect_to :action => 'index'
       end

    end

我的用户表包含以下字段:id,email,first_name,last_name,传记,电子邮件,角色。它还包含所有与设计相关的字段.Below是我的用户模型:

    class User < ApplicationRecord
      # Include default devise modules. Others available are:
      # :confirmable, :lockable, :timeoutable and :omniauthable
      devise :database_authenticatable, :registerable,
             :recoverable, :rememberable, :trackable, :validatable

    after_initialize :default_values

      private
        def default_values
          self.role ||= "Non-admin"
        end
end

我在seeds.rb中硬编码了我的管理员凭据,如下所示:

如果User.find_by(:role =&gt;'Admin')。nil?   User.create([{email:“admin_user@usermanagementsystem.com”,密码:“topsecret”,first_name:“admin”,last_name:“ums”,传记:“我在ums担任管理员”,年龄:20岁,角色:“Admin”}]) 端

查看文件: Index.html.erb: - 

<table id="albums" cellspacing="0">
  <thead>
    <tr>
      <th>        NAME        </th>
      <th>        EMAIL       </th>
      <% if current_user.role == "Admin" %>
      <th>        EDIT        </th>
      <th>        SHOW        </th>
      <th>        DESTROY     </th>
      <% end %>
      <th colspan="15"></th>
    </tr>
  </thead>
<% if current_user.role == "Admin" %>
<% @users.each do |user| %>
  <tr>
    <td><%= user.first_name %></td>
    <td><%= user.email %></td>
    <td><%= link_to 'Edit', users_edit_path(id: user.id), class: "small button"%></td>
    <td><%= link_to 'Show', users_show_path(id: user.id), class: "small button"%></td>
    <td><%= link_to 'Destroy', users_delete_path(id: user.id),  method: :delete, data: { confirm: 'Are you sure?' } , class: "small button"%></td>
  </tr>
<% end %>
<% else %>
<tr>
    <td><%= @user.first_name %></td>
    <td><%= @user.email %></td>
    <td><%= link_to 'Edit', users_edit_path(id: @user.id), class: "small button" %></td>
    <td><%= link_to 'Destroy', users_delete_path(id: @user.id),  method: :delete, data: { confirm: 'Are you sure?' } , class: "small button"%></td>
  </tr>
<%end %>
</table>

<%#= link_to 'Change password', edit_user_registration_path,  class: "small button" %>

edit.html.erb: - 

<% if @user.nil? == false %>
<%= form_for @user , :as => :user, :url => users_update_path(@user), :method => :PUT do |f| %>
  <%= f.label :first_name %>:
  <%= f.text_field :first_name %><br>

  <%= f.label :last_name %>:
  <%= f.text_field :last_name %><br>

  <%= f.label :age %>:
  <%= f.number_field :age %><br>

  <%= f.label :biography %>:
  <%= f.text_field :biography %><br>

  <%= f.label :email %>:
  <%= f.text_field :email %><br>

  <%= f.submit :class => 'small button' %>
<% end %>
<%else%>
<h3> Such a user record does not exist. Please click on a specific user </p>
<%end%>

show.html.erb 

<br>
<br>
<% if @user.nil? == false %>
<h3>User details</h3>
<table id="albums" cellspacing="0">
  <thead>
    <tr>
      <th>FIRSTNAME</th>
      <th>LASTNAME</th>
      <th>EMAIL</th>
      <th>BIOGRAPHY</th>
      <th>AGE</th>
      <th colspan="20"></th>
    </tr>
  </thead>
  <tr>
    <td> <%= @user.first_name %> </td>
    <td> <%= @user.last_name %> </td>
    <td> <%= @user.email %> </td>
    <td> <%= @user.biography %> </td>
    <td> <%= @user.age %> </td>
  </tr>
</table>
 <%= link_to '  Edit  ', users_edit_path(id: @user.id) , class: "small button"%>
<%= link_to 'Delete     ', users_delete_path(id: @user.id),  method: :delete, data: { confirm: 'Are you sure?' }, class: "small button" %>
<%else%>
<h3> Such a user record does not exist. Please click on a specific user </p>
<%= link_to "Logout", destroy_user_session_path, method: :delete, class: "small button"  %>
</footer>
<%end%>

任何人都可以帮助我使用cancancan gem限制管理员以外的任何用户查看,编辑,更新和删除自己的帖子。管理员应该能够对每个人的记录进行这些操作。

如果您发现我对控制器代码执行了错误,请帮助我改进。提前谢谢。

1 个答案:

答案 0 :(得分:0)

将以下代码添加到ability.rb的初始化函数中,并使其正常工作。

如果user.role ==&#34; Admin&#34;       可以:管理,:全部     其他       can [:index],User,id:user.id       可以[:show],用户,id:user.id       可以[:edit],User,id:user.id       可以[:update],User,id:user.id       可以[:delete],User,id:user.id     端

相关问题
最新问题