您如何通过Cancancan授权访问没有相应模型的控制器处理的页面? [英] How do you authorize access to a page dealed by a controller without corresponding model with Cancancan?
问题描述
一个没有相应型号的Spree管理员控制器,其访问试用版重定向到另一个页面.
A Spree admin controller without corresponding model, whose access trial redirect to an other page.
相应的尝试代码:
module Spree
module Admin
class TutorialsController < Spree::Admin::BaseController
authorize_resource :class => false
def index
end
end
end
end
在app/models/spree/ability_decorator.rb中添加了以下内容:
can :manage, :'tutorial'
can :manage, :'admin/tutorial'
can :manage, :'admin_tutorial'
can :manage, :'spree/admin/tutorial'
can :manage, :'spree_admin_tutorial'
但是这些授权都无法解决问题.当然,在此位置添加can :manage, :all将使页面可根据需要进行访问,因此,这绝对是解决方案,与所需的解决方案接近,但此处所允许的容忍度较低.即使在控制器中使用skip_authorization_check都无法解决问题,该请求也将通过以下相应的初始日志重定向到admin/products:
But none of these authorizations will do the trick. Of course adding can :manage, :all at this place will make the page reachable as desired, so this is definitely solution close to that which is needed but less permissive that is looked for here. Even using skip_authorization_check in the controller won't do the trick, the request will be redirected to admin/products with these corresponding initial logs:
Started GET "/admin/tutorials" for 127.0.0.1 at 2020-04-30 17:11:28 +0200
Processing by Spree::Admin::TutorialsController#index as HTML
Spree::Preference Load (2.9ms) SELECT "spree_preferences".* FROM "spree_preferences" WHERE "spree_preferences"."key" = $1 LIMIT $2 [["key", "spree/backend_configuration/locale"], ["LIMI
T", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/bundler/gems/spree_i18n-a03ecad00a1e/lib/spree_i18n/controller_locale_helper.rb:21
Spree::User Load (3.2ms) SELECT "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."id" = $1 ORDER BY "spree_users"."id" ASC LIMIT $2 [["id",
194], ["LIMIT", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Role Load (3.4ms) SELECT "spree_roles".* FROM "spree_roles" INNER JOIN "spree_role_users" ON "spree_roles"."id" = "spree_role_users"."role_id" WHERE "spree_role_users"."user_id" =
$1 [["user_id", 194]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Producer Load (2.6ms) SELECT "spree_producers".* FROM "spree_producers" WHERE "spree_producers"."id" = $1 LIMIT $2 [["id", 16], ["LIMIT", 1]]
↳ app/models/spree/ability_decorator.rb:123
Redirected to http://localhost:5000/forbidden
Completed 302 Found in 80ms (ActiveRecord: 41.4ms)
在进行了其他一些重定向之后,该请求导致了先前指定的路径.
And after a few other redirections, the request lead to the previously stated path.
- 在使用cancancan时添加没有相应模型的Controller a>提出了一种解决方案,不幸的是在这种情况下不起作用.
- 如何使用CanCanCan授权名称空间,无模型控制器?建议使用
skip_authorization_check
- Adding a Controller without corresponding model while using cancancan proposes a solution which unfortunately didn't work in this case.
- How to authorize namespace, model-less controllers using CanCanCan? suggest the use of
skip_authorization_check
推荐答案
在这种情况下,根本不需要特殊功能.与Spree::Admin::BaseController不同,Spree::BaseController设置正确的权限以授予目标访问权限.为了保持CSS样式的一致性,需要显式的layout语句.
There was no need for special ability after all in this case. The Spree::BaseController sets the correct permissions to grant the aimed access, unlike Spree::Admin::BaseController. To keep the CSS style consistent, an explicit layout statement is required.
module Spree
module Admin
class TutorialsController < Spree::BaseController
layout 'spree/layouts/admin'
def index; end
end
end
end
这篇关于您如何通过Cancancan授权访问没有相应模型的控制器处理的页面?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
