0

我在响应和帖子、电话和会议之间存在多态关系:

 class Response < ActiveRecord::Base
    belongs_to :responseable, polymorphic: true
    ...
 end

class Post < ActiveRecord::Base
   has_many :responses, as: :responseable, dependent: :destroy
   ...
end

class Call < ActiveRecord::Base
   has_many :responses, as: :responseable, dependent: :destroy
   ...
end

class Meeting < ActiveRecord::Base
   has_many :responses, as: :responseable, dependent: :destroy
   ...
end

我正在使用 CanCan 来定义我的能力,使用嵌套资源功能来授权查看取决于其父母能力的响应:

class ResponsesController < ApplicationController

  before_filter :authorize_parent
  load_resource :post
  load_resource :call
  load_resource :meeting  
  load_and_authorize_resource :response, :through => [:post, :call, :meeting]

  ...

private

  def authorize_parent
    authorize! :read, (@post || @call || @meeting)
  end

end

使用控制器中的标准动作,所有能力都在正常工作。

但是,我的响应控制器中有一个操作,用于每 15 秒通过 JS 脚本轮询一次新响应:

def polling
   current_user_id = params[:current_user_id]
   responseable_type = params[:responseable_type]
   klass = [Post, Call, Meeting].detect { |c| responseable_type == c.name }
      @responseable = klass.find(params[:responseable_id])
   undivided_millisecond_epoch_time_in_integer = params[:after]
   undivided_millisecond_epoch_time_in_decimal = (undivided_millisecond_epoch_time_in_integer).to_d
   divided_millisecond_epoch_time_in_decimal = (undivided_millisecond_epoch_time_in_decimal / 1000000).to_d
   @responses = @responseable.responses.where("created_at > ? AND user_id <> ?", Time.at(divided_millisecond_epoch_time_in_decimal), current_user_id)
end

无论我尝试什么,我都无法让它发挥作用。即我只是得到响应“您无权访问此页面”。我想我需要添加一些东西才能让这个自定义操作起作用,但我对在哪里和做什么有点迷茫。

非常感谢任何帮助。

编辑:在我的能力文件中添加了详细信息:

if user.role == "client"
  can :index, Post, :user_expert_private => false
  can :index, Post, :user_expert_private => true, :user_id => user.id
  can :show, Post, :user_expert_private => false, :countries => { :id => user.country_ids}
  can :show, Post, :user_expert_private => true, :user_id => user.id
  can :create, Post
  can :edit, Post, :user_id => user.id
  can :update, Post, :user_id => user.id
  can :read, Response
  can :create, Response
  can :polling, Response
  can :read, Call, :user_id => user.id
  can :create, Call, :user_id => user.id
  can :edit, Call, :user_id => user.id
  can :update, Call, :user_id => user.id
  can :read, Meeting, :user_id => user.id
  can :create, Meeting, :user_id => user.id
  can :edit, Meeting, :user_id => user.id
  can :update, Meeting, :user_id => user.id
  can :responses, :polling          
  can :posts, :autocomplete
end
4

1 回答 1

1

根据this,在您的轮询方法结束时,您应该能够将其放在轮询方法的末尾:

authorize! :read, @responses

我相信原因是您仅在父对象的主持下才授权使用 Response 对象。

根据能力编辑:

也许像

can :polling, Response, :user_id => user.id

我正在另一个项目中做一些工作,这个页面可能会有用。如果/当它被证明是正确的,我会更新这个答案。

于 2013-01-28T12:16:14.070 回答