我已使用CanCan实现了设计和管理角色权限的身份验证。我的应用程序管理食谱,当我销毁食谱时,我关闭会话并将我重定向到sign_in view ...
如果我不检查身份验证和权限(请参阅上面的recipes_controller),它可以正常工作。
这很奇怪,我不知道为什么会这样。请帮忙。
由于
LOG:
Started POST "/recipes/21" for 127.0.0.1 at Thu Dec 08 19:53:30 +0100 2011
Processing by RecipesController#destroy as HTML
Parameters: {"id"=>"21"}
User Load (0.5ms) SELECT "users".* FROM "users" WHERE "users"."id" = 5 LIMIT 1
Completed 401 Unauthorized in 44ms
Started GET "/users/sign_in" for 127.0.0.1 at Thu Dec 08 19:53:30 +0100 2011
Processing by Devise::SessionsController#new as HTML
Rendered devise/shared/_links.erb (2.5ms)
Rendered devise/sessions/new.html.erb within layouts/application (14.2ms)
Completed 200 OK in 52ms (Views: 20.8ms | ActiveRecord: 0.0ms)
RECIPES_CONTROLLER:
class RecipesController < ApplicationController
before_filter :authenticate_user!
load_and_authorize_resource
def destroy
@recipe = Recipe.find(params[:id])
@recipe.destroy
redirect_to recipes_url, :notice => "Successfully destroyed Recipe."
end
的能力:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user
if user.role? :super_admin
can :manage, :all
else if user.role? :super_read_admin
can :read, :all
else
# manage reciped he owns
can :manage, Recipe do |recipe|
recipe.owner == user
end
end
end
end
end
答案 0 :(得分:0)
答案,每个提问者(见下面的评论)
您必须确保在布局中包含<%= csrf_meta_tags %>。
============================
(原始回复)
从Completed 401 Unauthorized in 44ms来看,您的用户似乎不允许销毁此配方。检查recipe.owner.id是否为5 ...
在控制台中尝试:
user = User.find(5)
puts user.role
ability = Ability.new(user)
ability.can? :destroy, Recipe.find(21)
第二个和最后一个命令的输出是什么?