如何正确设置我的CanCanCan权限? [英] How do I setup my CanCanCan permissions correctly?
问题描述
我对如何正确配置CanCanCan感到困惑。
对于初学者来说,我是否必须添加 load_and_authorize_resource 我想限制访问的每个控制器资源?
这就是我想做的事情:
- 管理员可以管理和访问所有控制器和操作
- 编辑者可以阅读全部内容,管理:newsroom并可以管理所有帖子
- 成员可以阅读每个帖子,并且可以创建&更新帖子(不能编辑/删除/其他),无法访问新闻编辑室。更新与更新之间的区别我们业务规则中的编辑帖子是指更新正在创建一个新帖子,它是当前帖子的子帖子。因此,这不是编辑。
- 来宾可以读取每个帖子,但不能创建帖子或访问新闻编辑室。
这是我的 ability.rb 的样子:
class Ability
include CanCan :: Ability
def initialize(user)
user || = User.new#访客用户(未登录)
#Admin
如果user.has_role? :admin
可以:manage,:all
可以:manage,:newsroom
#Editor
elsif user.has_role? :editor
可以:read,:all
可以:manage,:newsroom
can:manage,post
#Member
elsif user.has_role? :member
可以:read,:all
可以:create,Post
可以:status,Post
可以:update,Post do | post |
post.try(:user)==用户
结束
#来宾
否则
可以:read,:all
可以:create,Post
can:status,发布
结束
结束
结束
在我的 routes.rb 中,我有以下内容:
authenticate:用户,lambda {| u | u.has_role? :admin或:editor}将
获取 newsroom,以: newsroom#index,如: newsroom
获取 newsroom / published,以: newsroom#published
获取 newsroom / unpublished,以: newsroom#unpublished
end
什么但是,正在发生的情况是,当我以尚未分配任何角色(即我想成为来宾的用户)的身份登录时,他们可以访问新闻编辑室。
当我尝试编辑角色为:member 的帖子时,出现未授权编辑帖子错误(正确)。 / p>
我只是无法完全锁定 Newsroom ,而且我不确定为什么。
对于它的价值,我必须像这样设置 NewsroomController :
类NewsroomController< ApplicationController
authorize_resource:class => false
这是我的 ability.rb 在获得所需权限后看起来像这样:
#Roles
#Admin
如果user.has_role? :admin
可以:manage,:all
#编辑
elsif user.has_role? :editor
可以:manage,:newsroom
可以:manage,post
#Member
elsif user.has_role? :member
可以[:read,:create,:status],发布
可以:update,发表|发表|
post.try(:user)==用户
结尾
#来宾
否则
可以[:read,:status],发布
结尾
I am a little confused about how to configure CanCanCan properly.
For starters, do I have to add load_and_authorize_resource to every controller resource I want to restrict access to?
This is what I would like to do:
- Admin can manage and access all controllers and actions
- Editor can read all, manage :newsroom, and can manage all Posts
- Member can read every Post and can create & update Posts (not edit/delete/anything else), cannot access the newsroom. The difference between an update & edit post in our business rules is that an update is creating a new post that is a child post of the current post. So it isn't an edit. Just a new record with an ancestry association.
- Guest can read every Post, but cannot create Posts nor access the Newsroom.
This is what my ability.rb looks like:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
#Admin
if user.has_role? :admin
can :manage, :all
can :manage, :newsroom
# Editor
elsif user.has_role? :editor
can :read, :all
can :manage, :newsroom
can :manage, Post
#Member
elsif user.has_role? :member
can :read, :all
can :create, Post
can :status, Post
can :update, Post do |post|
post.try(:user) == user
end
#Guest
else
can :read, :all
can :create, Post
can :status, Post
end
end
end
In my routes.rb I have this:
authenticate :user, lambda { |u| u.has_role? :admin or :editor } do
get 'newsroom', to: 'newsroom#index', as: "newsroom"
get 'newsroom/published', to: 'newsroom#published'
get 'newsroom/unpublished', to: 'newsroom#unpublished'
end
What is happening though, is when I am logged in with a user that has not been assigned any roles (i.e. what I want to be a "Guest"), they can access the Newsroom.
When I try to edit a post with the role of :member, it gives me a "Not authorized to edit post" error (which is correct).
I just can't quite lockdown the Newsroom and I am not sure why.
For what it's worth, I had to setup my NewsroomController like this:
class NewsroomController < ApplicationController
authorize_resource :class => false
This is what the working version of my ability.rb looks like after I got it to work with the permissions I needed:
#Roles
#Admin
if user.has_role? :admin
can :manage, :all
# Editor
elsif user.has_role? :editor
can :manage, :newsroom
can :manage, Post
#Member
elsif user.has_role? :member
can [:read, :create, :status], Post
can :update, Post do |post|
post.try(:user) == user
end
#Guest
else
can [:read, :status], Post
end
这篇关于如何正确设置我的CanCanCan权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
