我有以下内容:
questions_controller.rb
class QuestionsController < ApplicationController
load_and_authorize_resource #cancancan
def index
authorize! :view_all, @questions
ability.rb
class Ability
include CanCan::Ability
def initialize(user)
...
elsif user.content_creator
can [:index, :read, :create, :update], Unit
can [:index, :read, :create, :update, :view_all], Question
routes.rb
resources :units do
resources :questions, only: [:index]
Log
Started GET "/units/1/questions" for ::1 at 2018-10-29 13:37:15 -0400
Processing by QuestionsController#index as HTML
Parameters: {"unit_id"=>"1"}
User Load (8.0ms) SELECT "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT 1 [["id", 13]]
You are not authorized to access this page.
Redirected to http://localhost:3000/dashboard
我确认用户为content_creator。我什至重启了服务器。用户可以更新Unit。但是,他们无法查看该单元中的问题索引。为什么不?
如果我将can :manage, Question放在ability.rb的开头,那么它仍然是未授权的。如果我使用can :manage, :all,则可以。
Cancancan〜> 1.10
答案 0 :(得分:0)
我摆脱了
# authorize! :view_all, @questions # prevents ContentCreators from viewing /units/1/questions
已更改
can :read, Question
收件人
can :show, Question
ability.rb中的所有其他位置,因此只有授权的查看者才能看到索引。但这并不是一个完整的答案,因为仍不清楚为什么原始代码无法正常工作。
答案 1 :(得分:0)
环顾四周我发现的情况是:
class ProductsController < ActionController::Base
load_and_authorize_resource
def discontinue
# Automatically does the following:
# @product = Product.find(params[:id])
# authorize! :discontinue, @product
end
end
根据注释文本,默认情况下cancan可以期望动作名称等于该功能,在这种情况下,您必须创建一个名为
的新动作def view_all
否则,您将不得不为索引创建一个子规则。
希望这会有所帮助。