CanCanCan仅显示用户所属的模型实例

时间:2017-09-06 01:51:09

标签: ruby-on-rails ruby-on-rails-5 cancan cancancan rolify

我目前正在使用 Devise,CanCan和Rolify 来处理我的rails应用的身份验证和授权,而且我很难理解如何制作它以便user只能:show:update 用户所属的模型的特定实例(也就是我的user有{{1}列,而不是相反)。

client_id Abilities.rb定义user的{​​{1}}更新部分,工作正常,即如果:client那么他只能更新current_user.client_id = 3的客户端Client.id = 3但是,同一个用户可以查看Client模型的任何实例,而我似乎无法掌握如何限制它。

Ability.rb 

...
if user.has_role? :client
  can [:read, :update], [Property, Order], client_id: user.client_id
  can [:read, :update], Owner
  can :create, [Property, Order, Owner]
  can :manage, User, id: user.id
  can [:show, :update], Client, id: user.client_id
end
...

每个用户都没有index所有Clients,因此在研究之后我将can [:read, :update], Client, ..更改为:show,但用户仍然可以看到其他clients:update部分如果它工作正常,那么我在这里真的很茫然。在过去的几个小时里一直在谷歌搜索并阅读所有CanCan文档,我承认它可以解决,但我无法弄清楚。

我已尝试将其从控制器端进行限制,如下所示但不起作用:

external/clients_controller.rb 

class External::ClientsController < ApplicationController
  load_and_authorize_resource
  before_filter :client_only

  def index
    @clients = Client.paginate(page: params[:page], per_page: 15)
  end

  def show
    @clients = Client.find(params[:id])
    @client_users = User.where(client_id: params[:id])
    @client_orders = Order.where(client_id: params[:id]).includes(:property, :owners)
    can? :show, @clients
  end

  def edit
    @clients = Client.find(params[:id])
    respond_to do |format|
      format.html { @clients.save }
      format.js
    end
  end

  def update
    @clients = Client.find(params[:id])
    @clients.update_attributes(client_params)
    respond_to do |format|
      format.html { if @clients.save
                      flash[:success] = "Client Updated Successfully"
                      redirect_to client_path(@clients)
                    else
                      render 'edit'
                    end
      }
      format.js
    end
  end

  private

  def client_params
    params.require(:client).permit(:uuid, :company, :first_name, :last_name, :phone, :email, :address1, :address2, :city, :state, :zip, :notes)
  end

  def client_only
    redirect_to root_path unless current_user.is_client?
  end

end

因此,如果有人能够帮助我完全理解CanCan如何处理模型实例的基于角色的授权,那么我将非常感激。提前谢谢!

更新代码

删除了@client

中的所有external/clients_controller.rb实例加载 
class External::ClientsController < ApplicationController
  load_and_authorize_resource
  before_filter :client_only

  def show
    @client_users = User.where(client_id: params[:id])
    @client_orders = Order.where(client_id: params[:id]).includes(:property, :owners).paginate(page: params[:page], per_page: 15).order("order_number DESC")
  end

  def edit
    respond_to do |format|
      format.html
      format.js
    end
  end

  def update
    if params[:client][:state].blank?
      params[:client][:state] = @client.try(:state)
    end
    @client.update_attributes(client_params)
    respond_to do |format|
      format.html { if @client.save
                      flash[:success] = "Client Updated Successfully"
                      redirect_to external_client_path(@client)
                    else
                      render 'edit'
                    end
      }
      format.js
    end
  end

  private

  def client_params
    params.require(:client).permit(:uuid, :company, :first_name, :last_name, :phone, :email, :address1, :address2, :city, :state, :zip, :notes)
  end

  def client_only
    redirect_to root_path unless current_user.is_client?
  end

end

完整ability.rb 

class Ability
  include CanCan::Ability

  def initialize(user)  
    alias_action :show, :to => :view
    alias_action :open_external_orders, :completed_external_orders, :to => :client_order_views

    user ||= User.new
    if user.has_role? :admin
      can :manage, :all
      can :assign_roles, User
    else
      can :read, :all
    end

    if user.has_role? :executive
      can :manage, [Property, Deed, Mortgage, Order, Owner, Client, AttachedAsset, User]
      cannot :assign_roles, User
    end

    if user.has_role? :management
      can :manage, [Property, Deed, Mortgage, Order, Owner, Client, AttachedAsset]
      can :read, User
      can :manage, User, id: user.id
      cannot :destroy, [Property, Order, Client, User]
    end

    if user.has_role? :analyst
      can :manage, [Property, Deed, Mortgage, Order, Owner, Client, AttachedAsset]
      can :manage, User, id: user.id
      cannot :destroy, [Property, Order, Client, User]
    end

    if user.has_role? :it
      can :manage, [Property, Deed, Mortgage, Order, Owner, Client, AttachedAsset]
      can :manage, User, id: user.id
      can :read, User
      cannot :destroy, [Property, Order, Client, User]
    end

    if user.has_role? :client
      can [:read, :update], Client, id: user.client_id
      can [:read, :update, :client_order_views], [Property, Order], client_id: user.client_id
      can [:read, :update], Owner
      can :create, [Property, Order, Owner]
      can :manage, User, id: user.id
    end
  end
end

1 个答案:

答案 0 :(得分:1)

CanCanCan可以使用“增加权限”。 每条规则都可以增加之前的规则。

如果你写:

can :show, User
can :edit, User

这两个权限将被加入,您将能够显示和编辑用户。

在你的ability.rb中,你定义了can :read, :all你授予所有对象阅读(显示和索引)的权限。

我建议你根据“增加持续时间”的概念写下你的能力档案。这意味着你没有开始为管理员定义能力,但你最终会这样做,将管理员需要的能力添加到你已经给予每个人的能力中。

相关问题
最新问题