0
我在允許管理員用戶僅查看和編輯他創建的用戶時遇到問題。 我有一個分層系統:超級用戶>管理員>其他用戶 我的超級用戶可以編輯所有用戶,但我的管理員用戶只能編輯自己。爲了解決這個問題,我有一個creator_id參數,它爲creator_id賦予與當前用戶的id匹配的新用戶。Cancan限制對用戶的訪問(Ruby on Rails)
我的用戶控制器:
class UsersController < ApplicationController
#CanCan resource will generate a 500 error if unauthorized
load_and_authorize_resource :user
# GET /users
# GET /users.json
def index
@users = User.all
respond_to do |format|
format.html # index.html.erb
format.json { render json: @users }
end
end
# GET /users/1
# GET /users/1.json
def show
@user = User.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.json { render json: @user }
end
end
# GET /users/new
# GET /users/new.json
def new
@user = User.new
respond_to do |format|
format.html # new.html.erb
format.json { render json: @user }
end
end
# GET /users/1/edit
def edit
@user = User.find(params[:id])
#User.find(session[:user])
end
# POST /users
# POST /users.json
def create
@user = User.new(params[:user])
@user.creator = current_user
respond_to do |format|
if @user.save
format.html { redirect_to @user, notice: 'Registration successful.' }
format.json { render json: @user, status: :created, location: @user }
else
format.html { render action: "new" }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# PUT /users/1
# PUT /users/1.json
def update
@user = User.find(params[:id])
#@user = current_user
respond_to do |format|
if @user.update_attributes(params[:user])
format.html { redirect_to @user, notice: 'Successfully updated profile.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
@user = User.find(params[:id])
@user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
end
和我ability.rb文件:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new #Guest user w/o account
#Permissions on what pages can be seen by which users, and what
#Users can do with those pages
if user.status == "Super User"
can :manage, :all
elsif user.status == "Admin"
can :manage, Book
can [:create,:new], User
can [:show, :update], User, :id => user.id
can :manage, User, :creator_id => user.id
end
end
end
我沒有檢查數據庫,並且當前用戶的ID正確地分配給新的creator_id用戶。我只是卡住了。坎康一直否認更新這些用戶的許可,我不知道爲什麼。任何幫助表示讚賞!
編輯我的用戶模型:
class User < ActiveRecord::Base
has_many :books
has_many :listings
has_many :orders
belongs_to :organizations
belongs_to :creator, class_name: 'User'
attr_accessible :password, :email, :first_name, :last_name, :password_confirmation, :status, :username
acts_as_authentic
validates :first_name, :presence => true
validates :last_name, :presence => true
validates :username, :presence => true, :uniqueness => true
validates :email, :presence => true, :uniqueness => true
validates :status, :presence => true
end
你有沒有在應用程序中定義角色? – David
我確實定義了角色。除了我將它作爲用戶稱爲狀態的屬性。所以user.status定義了用戶的角色 – CimmerianMuse
您是否定義了:用戶模型中的「status」?這個例子可能是這樣的 - https://gist.github.com/anonymous/5686257進一步,我建議看看:http://starqle.com/articles/rails-3-authentication-and-authorization -with-devise-and-cancan-part-1/ – David