我正在使用cancan(can(和design来控制Ruby on Rails应用程序中的用户权限。我的用户模型有四个列举的角色:
class User < ApplicationRecord
enum role: {location: 0, basic: 1, admin: 2, moderator: 3}
我想做的是定义每个角色在能力中可以控制的角色。rb
我的能力.rb目前看起来是这样的:
if user.basic?
can :read, :all
can :active_orders_index, Order
can :search_orders, Order
can :focused_show, Location
can :mark_task_completed, Task
can :finish_task, Task
cannot :create, User
elsif user.location?
can :read, Location
can :focused_show, Location
elsif user.admin?
can :manage, :all
elsif user.moderator?
can :manage, :all
end
在这个例子中,我所要做的就是阻止基本用户创建用户。在当前的形式中,基本用户能够创建用户(由于未经授权,cancan不会重定向(,这不是预期的效果。我相信这是因为:create方法来自我的用户控制器,它没有被用来生成用户。我正在使用Devise的new_user_registration进行新的注册。
最简单的问题形式:
有没有办法做类似->的事情
cannot :sign_up, User.where(:role => 'moderator')我可以指定哪些角色可以管理哪些其他角色?
我应该使用什么样的Devise控制器/方法来设置这些限制?
很抱歉,如果这个问题已经得到了回答,我在维基上读了关于定义能力和Devise的内容,但没有弄清楚。
提前感谢,我可以提供任何其他需要的代码片段,这将有所帮助!
应用程序控制器:我已经注释掉了加载和授权,并将其移动到其他控制器的开头,因为它会导致不必要的行为(我不记得具体是什么(。
class ApplicationController < ActionController::Base
#load_and_authorize_resource
protect_from_forgery with: :exception
before_action :configure_permitted_parameters, if: :devise_controller?
rescue_from CanCan::AccessDenied do |exception|
respond_to do |format|
format.json { head :forbidden, content_type: 'text/html' }
format.html { redirect_to main_app.new_user_session_url, notice: exception.message }
format.js { head :forbidden, content_type: 'text/html' }
end
end
def after_sign_in_path_for(resource)
if resource.role == 'location'
location_focused_path(Location.find_by(name: resource.username))
elsif resource.role == 'basic'
locations_path
elsif resource.role == 'admin'
active_orders_path
elsif resource.role == 'moderator'
active_orders_path
end
end
protected
def configure_permitted_parameters
added_atrs = [:role, :username, :email]
devise_parameter_sanitizer.permit(:sign_up, keys: added_atrs)
devise_parameter_sanitizer.permit(:account_update, keys: added_atrs)
end
end
注册控制器:由Devise生成
class Users::RegistrationsController < Devise::RegistrationsController
#load_and_authorize_resource
skip_before_action :require_no_authentication, only: [:new, :create, :cancel]
# POST /resource
def create
build_resource(sign_up_params)
# yield resource if block_given?
# ^ I removed this line otherwise identical to teh source code
resource.save
if resource.persisted?
if resource.active_for_authentication?
set_flash_message! :notice, :signed_up
sign_up(resource_name, resource)
respond_with resource, location: after_sign_up_path_for(resource)
else
set_flash_message! :notice, :"signed_up_but_#{resource.inactive_message}"
expire_data_after_sign_in!
respond_with resource, location: after_inactive_sign_up_path_for(resource)
end
else
clean_up_passwords resource
set_minimum_password_length
respond_with resource
end
end
# Signs in a user on sign up. You can overwrite this method in your own
# RegistrationsController.
def sign_up(resource_name, resource)
true
end
end
答案非常简单:
if user.present?
if user.basic?
can :read, :all
can :active_orders_index, Order
can :search_orders, Order
can :focused_show, Location
cannot :mark_task_completed, Task
can :finish_task, Task
cannot :manage, User # ADDED LINE
elsif user.location?
can :read, Location, :name => user.username
can :focused_show, Location, :name => user.username
cannot :manage, User
elsif user.admin?
can :manage, :all
cannot :manage, User, role: 3 # ADDED LINE
elsif user.moderator?
can :manage, :all
end
end
在我的能力范围内。rb