Devise + CanCan删除时的奇怪行为

时间:2011-12-08 19:12:03

标签: ruby-on-rails devise cancan

我已使用CanCan实现了设计和管理角色权限的身份验证。我的应用程序管理食谱,当我销毁食谱时,我关闭会话并将我重定向到sign_in view ...

如果我不检查身份验证和权限(请参阅上面的recipes_controller),它可以正常工作。

这很奇怪,我不知道为什么会这样。请帮忙。

由于

LOG:

 Started POST "/recipes/21" for 127.0.0.1 at Thu Dec 08 19:53:30 +0100 2011
 Processing by RecipesController#destroy as HTML
 Parameters: {"id"=>"21"}
 User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."id" = 5 LIMIT 1
 Completed 401 Unauthorized in 44ms

 Started GET "/users/sign_in" for 127.0.0.1 at Thu Dec 08 19:53:30 +0100 2011  
 Processing by Devise::SessionsController#new as HTML
 Rendered devise/shared/_links.erb (2.5ms)
 Rendered devise/sessions/new.html.erb within layouts/application (14.2ms)
 Completed 200 OK in 52ms (Views: 20.8ms | ActiveRecord: 0.0ms)

RECIPES_CONTROLLER:

class RecipesController < ApplicationController
before_filter :authenticate_user!
load_and_authorize_resource

def destroy
    @recipe = Recipe.find(params[:id])
    @recipe.destroy
    redirect_to recipes_url, :notice => "Successfully destroyed Recipe."
end

的能力:

class Ability
include CanCan::Ability

def initialize(user)
    user ||= User.new # guest user
    if user.role? :super_admin
        can :manage, :all
    else if user.role? :super_read_admin
        can :read, :all
    else
        # manage reciped he owns
        can :manage, Recipe do |recipe|
        recipe.owner == user
    end
end
end
end
end

1 个答案:

答案 0 :(得分:0)

答案,每个提问者(见下面的评论)

您必须确保在布局中包含<%= csrf_meta_tags %>

============================

(原始回复)

Completed 401 Unauthorized in 44ms来看,您的用户似乎不允许销毁此配方。检查recipe.owner.id是否为5 ...

在控制台中尝试:

user = User.find(5)
puts user.role
ability = Ability.new(user)
ability.can? :destroy, Recipe.find(21)

第二个和最后一个命令的输出是什么?