我們可以根據父母關聯檢查子對象的權限嗎?使用CanCan通過父母關聯授權子對象
我有一個Group
(父母)和User
,通過Membership
(協會)之間的多對多關聯(見下面的關聯)。我有一個Event
(兒童)模型屬於Group
和User
。 Membership
有一個名爲role
的列,這是我想基於我的權限。
我想確保user
只能創建一個event
如果user
是,event
屬於group
的owner
。通過owner
我的意思是有Membership.where(user_id: user, group_id: group, role: 'admin')
記錄。
該文檔在Accessing Parent in Ability下暗示了這一點,但他們沒有提及關聯關係。
# in Ability
can :manage, Task, :project => { :user_id => user.id }
爲此例如翻譯成我的使用情況:
# in Ability
can :create, Event, :group => { group.owner == user }
我已經有一個group.owner設置:
class Membership < ActiveRecord::Base
belongs_to :user
belongs_to :group, inverse_of: :memberships
end
class User < ActiveRecord::Base
has_many :memberships
has_many :groups, through: :memberships
has_many :ownerships, class_name: 'Membership', conditions: { role: 'admin' }
has_many :owned_groups, through: :ownerships, source: :group
has_many :events
end
class Group < ActiveRecord::Base
has_many :memberships
has_many :users, through: :memberships
has_one :ownership, class_name: 'Membership', conditions: { role: 'admin' }
has_one :owner, through: :ownership, source: :user
has_many :events
end
class Event < ActiveRecord::Base
belongs_to :organizer, class_name: 'User', foreign_key: 'user_id'
belongs_to :group
end
任何想法如何做到這一點?
什麼你的控制器是什麼樣子? –
我希望我能告訴你,但是我們拋棄了CanCan,因爲它已經升級到了Rails 4。 – Mohamad