CanCan不授权嵌套资源

时间:2011-12-22 18:03:21

标签: ruby-on-rails-3 cancan

我有一个Ticket模型和一个TicketReply模型:

class Ticket < ActiveRecord::Base
  has_many :replies, :class_name => "TicketReply"
end

class TicketReply < ActiveRecord::Base
  belongs_to :ticket, :class_name => "Ticket"
end

这是我的能力清单:

class Ability
  include CanCan::Ability

  def initialize(user)    
    can :manage, Ticket,      :userid => user.id
    can :manage, TicketReply, :ticket => { :userid => user.id }
  end
end

最后我的TicketRepliesController:

class TicketRepliesController < AuthorizedController
  load_and_authorize_resource :ticket
  load_and_authorize_resource :ticket_reply, :through => :ticket

  def create
    if @ticket_reply.valid?
      # ...
    else
     # ...
    end
  end
end

但是,每次我尝试创建故障单回复时,都会收到未经授权的消息:“您无权访问此页面。”。

编辑:我可以通过Ticket轻松访问TicketsController

知道我缺少什么吗?

1 个答案:

答案 0 :(得分:0)

在控制器new和create操作中,您需要使用current_user

连接新的票证记录 
class TicketRepliesController < AuthorizedController
  ... whatever code you have

  protected

  # override to do the wireing
  def build_resource
    resource = super
    resource.userid = current_user.id # wired!
    resource
  end
end

现在CanCan将看到链接并允许!

相关问题
最新问题