我有一个嵌套的资源,我正在使用cancan来进行授权。我需要能够访问父对象,以便能够授权孩子的:index操作(因为没有子实例用于:index操作)。
# memberships_controller.rb
class MembershipsController < ApplicationController
...
load_and_authorize_resource :org
load_and_authorize_resource :membership, through: :org
..
end
能力.rb
can [:read, :write], Membership do |membership|
membership.org.has_member? user
end
这对:索引动作
不起作用不幸的是,索引操作没有与之关联的任何会员实例,因此您无法返回以检查权限。
为了检查权限,我需要询问父对象(org),并询问当前用户是否是成员,例如
# ability.rb
...
can :index, Membership, org: { self.has_member? user }
cancan几乎让我这样做...
cancan指出,您可以使用以下机制访问父属性:https://github.com/ryanb/cancan/wiki/nested-resources#wiki-accessing-parent-ner-yability
# in Ability
can :manage, Task, :project => { :user_id => user.id }
但是,这只是通过比较对我的情况不起作用的属性来起作用的。
我如何访问父对象本身?
有什么方法可以在权限内访问父对象本身?
我最近遇到了相同的问题,并最终出现以下内容(假设您有Org模型):
class MembershipsController < ApplicationController
before_action :set_org, only: [:index, :new, :create] # if shallow nesting is enabled (see link at the bottom)
before_action :authorize_org, only: :index
load_and_authorize_resource except: :index
# GET orgs/1/memberships
def index
@memberships = @org.memberships
end
# ...
private
def set_org
@org = Org.find(params[:org_id])
end
def authorize_org
authorize! :access_memberships, @org
end
end
能力。rb:
can :access_memberships, Org do |org|
org.has_member? user
end
有用的链接
https://github.com/ryanb/cancan/issues/301
http://guides.rubyonrails.org/routing.html#shallow-nesting
你不能这样做吗?
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
can :index, Membership, org: {id: user.memberships.map(&:org_id)}
end
end