如何限制当前登录的用户只能看到属于他们的产品呢？ [英] How do I restrict the currently logged in user to only see products that belong to them?

问题描述

如果用户使用特定角色登录 - 厂商 - 他们只能看到他们在他们的商店已创建的项目。它们不应该能够看到来自其他供应商的产品。

If a user is logged in with a specific role - vendor - they should only see items that they have created in their store. They should not be able to see products from other vendors.

所以我试图做这在我的授权（使用设计，康康舞，Rolify）。

So I am trying to do this in my authorization (using Devise, CanCan, Rolify).

我试过这样：

user ||= User.new # guest user (not logged in)
if user.has_role? :vendor
  can :dashboard
  can :manage, [Product, Vendor], :vendor_id => user.id
  can :view, [Product], :vendor_id => user.id
end

但....还没有与多少运气......我缺少什么？

But....haven't had much luck with that...what am I missing?

修改1

我知道我可以限制产品在像控制器：

I know that I can restrict the products in the controller like:

 @product = current_user.products

但是，这不是我所期待的。在这种情况下，供应商（即角色的用户：厂商）只要是能够看到他们添加到存储产品，但是他们不应该能够看到产品其它厂商加入。然而，买方（即具有角色的用户：买家）应该能够看到所有的产品全部买家（如将管理员的/ etc）。买方将无法看到的一些产品等的价格，以及其他一些属性。

But that's not what I am looking for. In this case, a vendor (i.e. user with role :vendor) should only be able to see products they added to the store, but they shouldn't be able to see products that other vendors add. However, a buyer (i.e. a user with role :buyer) should be able to see all the products from all buyers (as will an admin/etc). A buyer won't be able to see the prices, and some other attributes on some of the products, etc.

我怎样才能做到这一切？

How can I achieve all of that?

推荐答案

在控制器，你只能找到属于该用户的产品。

In the controller you can only find the products belonging to that user.

def show
  @product = @user.products.find(params[:id])
  ...

同样适用于编辑和更新动作。在这种情况下惭惭不是必需的。

Same applies to edit and update action. Cancan in this case is not required.

这篇关于如何限制当前登录的用户只能看到属于他们的产品呢？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！