Rails的康康舞和状态机 - 授权状态 [英] Rails cancan and State Machine - Authorizing states

问题描述

我一直在使用这两个真棒宝石，state_machine和康康舞最近在我的Rails应用程序，但我很好奇，他们干净利落整合的最佳途径。
目前，我已经放置在参加由控制器授权操作的按钮状态转换。这完美的作品，我可以限制谁可以执行该操作。

I've been using the two awesome gems, state_machine and cancan recently in my rails application but I'm curious as to the best way to integrate them cleanly. Currently I've placed state transitions on buttons that go on actions authorized by the controller. This works perfectly, I can restrict who can perform that action.

我想给用户更改编辑表单对象的状态和能力。我注意到，state_machine将拿起散列中state_event键，配合动作的值来执行（因此它会经过所有state_machines回调）。
这可以通过update_attributes方法params哈希表进行传递。太棒了。

I would like to give the user the ability to change the objects state in the edit form as well. I've noticed that state_machine will pick up on the state_event key in the hash, with the value of the action to perform (so it will go through all of state_machines callbacks). This can be passed in with the params hash in update_attributes. Fantastic.

但是只有特定的用户应该能够改变对象的某些状态。我将如何实现这个？这个想法是，

However only certain users should be able to change the object to certain states. How would I implement this?. The idea is that

params['state_event']=='move_to_x'

应该摆脱困境对于一些用户，但不允许他人。这也涉及到我，直到我实现这个授权部分聪明的用户可以发布状态事件里的任何东西，即使他们不应该被允许呢！

Should bail out for some users but be allowed for others. It also concerns me as until I implement this is the authorization part a clever user could post anything inside state event, even if they shouldn't be allowed too!.

推荐答案

这实际上并没有那么可怕，因为我以为，我已经在保持code，而短期和CURRENT_USER出的一种方式做到了我的模型（所以大加）。

This wasn't actually as terrible as I thought, and I've done it in a way that keeps the code rather short and current_user out of my models (so big plus).

诀窍是调用控制器重新授权。

The trick was to call authorize again in the controller.

基本上

def update
  authorize! params[:object][:state_event].to_sym, @object unless params[:object][:state_event].empty?
  .... etc
end

这样我可以别名Ability.rb。因此，用户可以做的动作将被授权，并且用户不能将得到异常。这也是真棒，因为它是我将使用的基础按钮动作相同的能力。

This way I can just aliases in Ability.rb. So users that can do the action will be authorized, and users that cannot will get the exception. This is also awesome as it's the same ability I'll be using on the button based actions.

唯一需要注意的是，你不能使用@ object.state_transistions获得可用状态，用户可以过渡到一个列表，但它应该有可能通过某种helper方法来做到这一点。

The only caveat, is that you can't use @object.state_transistions to get a list of the available states the user can transition to, but it should be possible to do this via some sort of helper method.

更新：虽然像层的观点得到那些国家是很容易的。

UPDATE: though getting those states in a view like layer is easy enough

我使用的简单的形式，所以我只是一个集合的输入，使得

i'm using simple form so I just a collection input such that

 ..... collection: @object.status_transistions.select{|t| can? t.event, @object}

这离开选择所有的跃迁的目标可以顺利通过，并且用户也有权这样做。）

Which leaves the select with all the transistions the object can go through, and that the user is also authorized to do :).

这篇关于Rails的康康舞和状态机 - 授权状态的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！