Rails CanCan授权嵌套资源

Question

Rails CanCan授权嵌套资源

8

我有一个项目资源，它嵌套在用户资源中。

我的Cancan权限类是：

class Ability
  include CanCan::Ability
  def initialize(user)
    #everyone
    can :read, Project

    if user.blank? 
      # guest user
      ...
    else
      #every signed in user

      case user.role
        when User::ROLES[:admin] 
          #only admin role user
          can :manage, :all

        when User::ROLES[:member] 
          #only member role user
          can :update, User, :id => user.id
          can [:create, :update, :destroy], Project, :user_id => user.id
        else

      end
    end
  end
end

项目控制器：

class ProjectsController < ApplicationController
  load_and_authorize_resource :user
  load_and_authorize_resource :projects, :through => :user, :shallow => true
  ...
end

我有几个问题：

是否可以拒绝用户读取 User，但允许读取 Project，这样每个人都可以访问 /users/10/projects，但不能访问 /users/10 或 /users？

如何拒绝用户访问具有其他 user_id 的 :new 操作？例如，如果我添加

#everyone
can :read, User
can :read, Project

这段代码允许ID为42的用户访问/user/41/projects/new。

- David Senkus

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- David Senkus · Accepted Answer

通过以下方式解决：

class Ability
  include CanCan::Ability

  def initialize(user)
    #everyone
    can :read, Project

    can :read, User # required to access nested resources
    cannot :index, User
    cannot :show, User

    if user.blank? 
      # guest user
      ...
    else
      #every signed in user

      case user.role
        when User::ROLES[:admin] 
          #only admin role user
          can :manage, :all

        when User::ROLES[:member] 
          #only member role user
          can :update, User, :id => user.id
          can :manage, Project, :user => { :id => user.id }
        else

      end
    end
  end
end