在色器件分配角色/康康舞/ deviseldap/rolify和使用ldap_param_value

Question

底線前面： 我如何分配從LDAP角色時，馬上在

用戶登錄我使用設計/康康舞/ deviseldap/rolify來驗證用戶，然後希望分配一個角色。我接近我認爲得到這個工作。我擁有的是一個自定義的初始化工具，只有在他們的ldap條目中有某個memberOf時，才允許用戶進入應用程序。

這個工程得益於親切的幫助下從人在這個線程：

checking groups at runtime with devise and devise_ldap_authenticatable

所以，現在是時候了，我要分配角色，在網絡上圍繞曳後，我想也許最好的辦法是來自devise的user.rb中的after_create。我有這些的memberOf的在config /初始化，但通過我試圖在user.rb什麼下面描述不能在user.rb訪問到它們後面，如：

class User < ActiveRecord::Base 
    after_create :assign_role 
    ... 
    ... 
    private 
    def assign_role 
    puts "Assigning role!" 
    member_of = self.ldap_param_value("memberOf") #get array #i know self here is wrong 
    member_of.each do |str| 
    if str.include? 'Help Desk Admin' 
     self.roles << "admin" 
    end 
    if str.include? 'Password Manager' 
     self.roles << "password_manager" 
    end 
    if str.include? 'Security' 
    self.roles << "security" 
    end 
    if str.include? 'Help Desk' 
    self.roles << "help_desk" 
    end 
    end 

puts "roles assigned!" 
self.update 
end 

最大的問題（有很多我還是一個紅寶石noobie）是，我有一個方法ldap_param_value的調用，我知道調用它在自己是不正確的，我得到這個代碼在config/initializer/customdevise.rb中工作相同的行（這是我的前門抓住所有檢查）:(我知道我需要實例化正確的對象才能訪問上面的ldap_param_value，但不知道它是什麼）。我以爲自己是：制定:: LdapAdapter，但我想上面，它仍然沒有工作：

Devise::LdapAdapter.ldap_param_value(...)

出於完整性我config/initializer/customedevise.rb

Devise::LdapAdapter::LdapConnect.class_eval do 
    def user_group_test 
    member_of = self.ldap_param_value("memberOf") #self works here... 
    checkgroups member_of # your group test method end 

def checkgroups(members) 
    retVal = false 
    members.each do |str| 
    if str.include? 'Help Desk Admin' or str.include? 'Password Manager' or str.include? 'Security' or str.include? 'Help Desk' 
     retVal = true; 
    end 
    end 
    return retVal 
end 
# 'CN=Password Manager' 
# 'CN=Help Desk' 
# 'CN=Help Desk Admin' 
# 'CN=Security' 


def authorized? 
DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}") 
    if !user_group_test 
    DeviseLdapAuthenticatable::Logger.send("Not authorized because custom authentication failed.") 
    return false 
    elsif !authenticated? 
    DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.") 
    return false 
    elsif !in_required_groups? 
    DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.") 
    return false 
    elsif !has_required_attribute? 
    DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.") 
    return false 
    else 
    return true 
    end 
end 
end 

注：另一個缺陷是以上該設計不知道爲什麼認證失敗......我忍受了這一點，並改變了devise.en.yml文件invalid:以包括更多信息：

en: 
    devise: 
    confirmations: 
    confirmed: "Your account was successfully confirmed. You are now signed in." 
    send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes." 
    send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes." 
    failure: 
    already_authenticated: "You are already signed in." 
    inactive: "Your account was not activated yet." 
    invalid: "Invalid email or password. Or not a member of the correct group" 

     ..etc... 

Answer 1

這很簡單，

1. 一個表的權限將有可能被用戶執行的所有車型和行動。
2. 權限HABTM用戶和用戶HABTM權限
3. 角色的has_many用戶，用戶belongs_to的角色
4. 角色HABTM權限和權限HABTM角色

5. 如果建立上述所有協會以及基於CURRENT_USER ID，就可以檢索用戶的什麼作用和檢索他們的權限和這些權限將通過下列方法能力的類實例化，

    def initialize(user) 
        user.role.permissions.each do |permission| 
         if permission.subject_class == "all" 
         can permission.action.to_sym, permission.subject_class.to_sym 
         else 
         can permission.action.to_sym, permission.subject_class.constantize 
        end 
        end 
       end 
   

此鏈接顯示如何做到這一點，

http://blog.joshsoftware.com/2012/10/23/dynamic-roles-and-permissions-using-cancan/