0

我似乎无法批准该web_videos_display操作的授权。我可以通过使用 使其工作,skip_authorize_resource但是任何用户都可以通过知道:id. 我需要访问asset“查看”文件。

感谢您对此进行调查。

assets_controller.rb

...
class AssetsController < ApplicationController

  load_and_authorize_resource :team
  load_and_authorize_resource :through => :team

  # skip_authorize_resource :only => [:web_videos_display, ...]
  # skip_authorize_resource :team, :only => [:web_videos_display, ...]
  ...
  def web_videos_display
    # @asset = Asset.find(params[:id]) #loaded by cancan
    @file = "#{Rails.root}#{@asset.webVideos.last.file}"
    send_file @file, :disposition => 'inline', :x_sendfile=>true
  end
  ...

路线.rb

  resources :teams, :path => '', :except => [:index] do
  ...
    resources :assets, :path => '' do
      ...
      get 'web_videos_display'
      ...
    end
  end

显示.html.erb

...
<%= team_asset_web_videos_display_path(@team, @asset, :id => @asset.id, :team_id => @team.id) %>
...

能力.rb

...
can :read, Team, :memberships => {:id => user.membership_ids}
can :manage, Asset, :team => { :id => user.team_ids }
can :web_videos_display, Asset, :team => { :id => user.team_ids }
...

更新以回应@ryanb 评论

返回

1.9.2p318 :006 > ability.can?(:web_videos_display, asset)
  Team Load (0.2ms)  SELECT "teams".* FROM "teams" WHERE "teams"."id" = 1 LIMIT 1
 => true

在开发模式下它仍然返回

Started GET "/video-pros/test-1/web_videos_display?id=10" for 127.0.0.1 at 2012-11-09 16:40:19 -0800
  Processing by AssetsController#web_videos_display as */*
  Parameters: {"id"=>"10", "team_id"=>"video-pros", "asset_id"=>"test-1"}
  Team Load (0.1ms)  SELECT "teams".* FROM "teams" WHERE "teams"."slug" = 'video-pros' LIMIT 1
  Team Load (0.2ms)  SELECT "teams".* FROM "teams" WHERE "teams"."admin_user_id" = 1 LIMIT 1
  CACHE (0.0ms)  SELECT "teams".* FROM "teams" WHERE "teams"."slug" = 'video-pros' LIMIT 1
Access denied on show #<Team id: 1, name: "Video Pros", email: nil, phone: nil, website: nil, slug: "video-pros", admin_user_id: 1, created_at: "2012-11-06 22:43:11", updated_at: "2012-11-06 22:43:11", payment_received: nil>
Redirected to http://0.0.0.0:3000/
Completed 302 Found in 73ms>

谢谢瑞恩

4

1 回答 1

1

send_file应该没有什么不同,因为授权发生在触发操作之前的 before_filter 中。据我所知,它看起来是正确的,所以可能还有其他事情发生。您是否尝试过此调试页面?如果您在控制台中模仿控制器授权正在做什么,会发生什么?

user = User.first # fetch any user you want to test abilities on
team = Team.first # any model you want to test against
asset = team.assets.first
ability = Ability.new(user)
ability.can?(:show, team) # see if it allows access
ability.can?(:web_videos_display, asset) # see if it allows access

更新:read:show团队的行动

于 2012-11-10T00:15:48.040 回答