我試圖通過Rails的devise/cancan獲得一些基本的身份驗證/授權。而不是使用像Ryan B的截屏視頻和其他例子,我試圖做一些基本的事情:Cancan不顯示授權視圖元素
1 - 用戶可以登錄
2 - 用戶只能編輯/銷燬他們自己的文章(無角色,你要麼登錄,並可以創建新的文章和編輯/摧毀自己的或你已註銷,你只能看到文章和登錄)
我使用設計的第一部分,這是工作正常但我無法參與CanCan的第二部分工作。文章的編輯和銷燬鏈接在您登錄時不會顯示,並且直接的URL(例如/ articles/3/edit)仍然允許,即使該文章是針對其他用戶的。
我ability.rb
是
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user
if user.nil?
can :read, :all
else
# can :manage, :all #test - with this, all the edit/destroy links appear
can :manage, Article, :user_id == user
end
end
end
articles_controller.rb
:
class ArticlesController < ApplicationController
before_filter :authenticate_user!, :except => [:index, :show] # for Devise
load_and_authorize_resource
# GET /articles
# GET /articles.xml
def index
@articles = Article.all
respond_to do |format|
format.html # index.html.erb
format.xml { render :xml => @articles }
end
end
# GET /articles/1
# GET /articles/1.xml
def show
@article = Article.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @article }
end
end
# GET /articles/new
# GET /articles/new.xml
def new
@article = Article.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @article }
end
end
# GET /articles/1/edit
def edit
@article = Article.find(params[:id])
end
# POST /articles
# POST /articles.xml
def create
@article = Article.new(params[:article])
@article.user = current_user
respond_to do |format|
if @article.save
format.html { redirect_to(articles_path, :notice => 'Article was successfully created.') }
format.xml { render :xml => articles_path, :status => :created, :location => articles_path }
else
format.html { render :action => "new" }
format.xml { render :xml => @article.errors, :status => :unprocessable_entity }
end
end
end
# PUT /articles/1
# PUT /articles/1.xml
def update
@article = Article.find(params[:id])
respond_to do |format|
if @article.update_attributes(params[:article])
format.html { redirect_to(@article, :notice => 'Article was successfully updated.') }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @article.errors, :status => :unprocessable_entity }
end
end
end
# DELETE /articles/1
# DELETE /articles/1.xml
def destroy
@article = Article.find(params[:id])
@article.destroy
respond_to do |format|
format.html { redirect_to(articles_url) }
format.xml { head :ok }
end
end
end
和視圖部分列出的文章_article_list.html.erb
:
<table>
<tr>
<th>Title</th>
<th>Description</th>
<th>User</th>
<th></th>
<th></th>
<th></th>
</tr>
<% @articles.each do |article| %>
<tr>
<td><%= article.title %></td>
<td><%= article.description %></td>
<td><%= article.user_id %></td>
<td><%= link_to 'Show', article %></td>
<% if can? :update, @article %>
<td><%= link_to 'Edit', edit_article_path(article) %></td>
<% end %>
<% if can? :destroy, @article %>
<td><%= link_to 'Destroy', article, :confirm => 'Are you sure?', :method => :delete %></td>
<% end%>
</tr>
<% end %>
</table>
有了這個設置,編輯/摧毀鏈接除非有毯子,否則視圖不會顯示,即使can :manage, Article
也不起作用。正如我上面提到的,它也不會限制實際操作,因爲您可以直接鏈接到編輯文章並允許它。
我不知道我在做什麼錯在這裏。得到一些幫助是很好的。
在此先感謝
傑森
感謝您的迴應Shadwell。是的,我確定在嘗試了許多不同的事情之後,現在有一些事情誤入歧途。我按照你的建議進行了調整,但仍然有相同的結果。我不知道它是否在說,但如果我做了長的形式,可以:manage,Article do | article | article.try(:user_id)== user.id end我得到錯誤「undefined method'user_id':index:Symbol」 – Jason 2010-09-28 12:17:20