我正在尝试将一个组(int)添加到我的workorder_controller中。我想将所有工作订单数据存储在同一个表中,但是使用设备过滤基于组而不是user_id的结果。这个想法是,用户只能看到他们的组的所有用户条目。如果有更好的方法,请告诉我。
我考虑过使用: Why am I getting NoMethodError for this devise_group call?
看起来它没有正常工作
我也试过跟着这个也没有运气: Adding group_id to notes
workorder_controller.rb
class WorkordersController < ApplicationController
before_action :authenticate_user!
load_and_authorize_resource
before_action :set_workorder, only: [:show, :edit, :update, :destroy]
# GET /workorders
# GET /workorders.json
def index
@workorders = Workorder.where(group: current_user.group)
end
# GET /workorders/1
# GET /workorders/1.json
def show
end
# GET /workorders/new
def new
@workorder = current_user.workorders.build
end
# GET /workorders/1/edit
def edit
end
# POST /workorders
# POST /workorders.json
def create
@workorder = current_user.workorders.build(workorder_params)
respond_to do |format|
if @workorder.save
format.html { redirect_to @workorder, notice: 'Workorder was successfully created.' }
format.json { render :show, status: :created, location: @workorder }
else
format.html { render :new }
format.json { render json: @workorder.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /workorders/1
# PATCH/PUT /workorders/1.json
def update
respond_to do |format|
if @workorder.update(workorder_params)
format.html { redirect_to @workorder, notice: 'Workorder was successfully updated.' }
format.json { render :show, status: :ok, location: @workorder }
else
format.html { render :edit }
format.json { render json: @workorder.errors, status: :unprocessable_entity }
end
end
end
# DELETE /workorders/1
# DELETE /workorders/1.json
def destroy
@workorder.destroy
respond_to do |format|
format.html { redirect_to workorders_url, notice: 'Workorder was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_workorder
@workorder = Workorder.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def workorder_params
params.require(:workorder).permit(:contractor_id, :description, :estimatedtime, :startdate, :completiondate, :budgetoverhead, :group)
end
end
application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up) { |u| u.permit( :email,:password,:group ,:password_confirmation, roles: []) }
end
end
ability.rb
class Ability
include CanCan::Ability
def initialize(user)
# Define abilities for the passed in user here. For example:
#
user ||= User.new
if user.has_role? :admin
can :manage, :all
elsif user.has_role? :client
#workorders
can :create, Workorder
can :update, Workorder
can :destroy, Workorder
can :read, :all #can read all items bound only to the user login not all users
else user.has_role? :contractor
#workorders
can :create, Workorder
can :update, Workorder
can :destroy, Workorder
can :read, :all #can read all items bound only to the user login not all users
end
#
# The first argument to `can` is the action you are giving the user
# permission to do.
# If you pass :manage it will apply to every action. Other common actions
# here are :read, :create, :update and :destroy.
#
# The second argument is the resource the user can perform the action on.
# If you pass :all it will apply to every resource. Otherwise pass a Ruby
# class of the resource.
#
# The third argument is an optional hash of conditions to further filter the
# objects.
# For example, here the user can only update published articles.
#
# can :update, Article, :published => true
#
# See the wiki for details:
# https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
end
end
来自控制台的输出:
Started POST "/workorders" for 127.0.0.1 at 2017-10-19 18:21:18 -0500
Processing by WorkordersController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"XXXXXtoken hereXXXXX", "workorder"=>{"contractor_id"=>"1", "description"=>"qadsddas", "estimatedtime"=>"111", "startdate(1i)"=>"2017", "startdate(2i)"=>"10", "startdate(3i)"=>"19", "completiondate(1i)"=>"2017", "completiondate(2i)"=>"10", "completiondate(3i)"=>"19", "budgetoverhead"=>"1111"}, "commit"=>"Create Workorder"}
User Load (0.7ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 2 ORDER BY `users`.`id` ASC LIMIT 1
(3.4ms) BEGIN
Contractor Load (0.8ms) SELECT `contractors`.* FROM `contractors` WHERE `contractors`.`id` = 1 LIMIT 1
(0.3ms) ROLLBACK
Rendering workorders/new.html.erb within layouts/application
Contractor Load (0.7ms) SELECT `contractors`.* FROM `contractors` WHERE `contractors`.`group` = 1
Rendered workorders/_form.html.haml (27.3ms)
Rendered workorders/new.html.erb within layouts/application (32.2ms)
Completed 200 OK in 136ms (Views: 99.4ms | ActiveRecord: 5.9ms)
答案 0 :(得分:0)
要限制与当前用户group匹配的工作人员的访问权限,我会做出以下修改:
# Ensure the group of the work order always matches the current_user's group
def workorder_params
params.require(:workorder).permit(
:contractor_id, :description, :estimatedtime,
:startdate,:completiondate, :budgetoverhead
).merge(group: current_user.group)
end
以上内容将确保分配current_user group
到相关的工作单。
要确保所选工作单与group匹配,请修改以下内容:
def set_workorder
@workorder = Workorder.where(id: params[:id], group: current_user.group).first
end
您还可以通过向current_user添加限制来限制对group ability.rb的访问权限。例如:
can :update, Workorder, group: user.group
修改:删除了对create方法的修改。