我有用户
class User < ActiveRecord::Base
devise :database_authenticatable,
:recoverable, :rememberable, :trackable, :validatable
attr_accessible :email, :password, :password_confirmation,
:remember_me, :site_id, :role_name
belongs_to :site
end
网站
class Site < ActiveRecord::Base
has_many :users
has_one :front_page_campaign
end
和 front_page_campaigns
class FrontPageCampaign < ActiveRecord::Base
belongs_to :site
end
我正在使用 cancan 来限制访问,因此用户只能为自己的站点管理 front_page_campaigns:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
case user.role_name
when "super_admin"
# can do everything
can :manage, :all
when "editor"
# can edit content for their site
can [:create, :read, :update], FrontPageCampaign, site_id: user.site_id
end
end
end
这对于具有 role_name 的用户super_admin
以及editor
on show 和 edit on非常有效front_page_campaigns
。但是当一个editor
尝试创建一个新的front_page_campaign时,我收到了一个cancan禁止通知
You are not authorized to access this page.
标准表单提供了所有站点的下拉框,我想我需要将其限制为用户自己的站点。我该怎么做呢?