我有一个项目资源,它嵌套在用户资源中。
我的Cancan权限类是:
class Ability
include CanCan::Ability
def initialize(user)
#everyone
can :read, Project
if user.blank?
# guest user
...
else
#every signed in user
case user.role
when User::ROLES[:admin]
#only admin role user
can :manage, :all
when User::ROLES[:member]
#only member role user
can :update, User, :id => user.id
can [:create, :update, :destroy], Project, :user_id => user.id
else
end
end
end
end
项目控制器:
class ProjectsController < ApplicationController
load_and_authorize_resource :user
load_and_authorize_resource :projects, :through => :user, :shallow => true
...
end
我有几个问题:
是否可以拒绝用户读取 User,但允许读取 Project,这样每个人都可以访问 /users/10/projects,但不能访问 /users/10 或 /users?
如何拒绝用户访问具有其他 user_id 的 :new 操作?例如,如果我添加
#everyone
can :read, User
can :read, Project
这段代码允许ID为42的用户访问/user/41/projects/new。