0

我在实施 gems cancan 时遇到了麻烦,使用 devise 和carrierwave onboard rails 3.2。

目前,我希望用户只能将图像上传到他们自己的用户页面(显示)。目前我有一个包含所有注册用户的用户索引页面。我可以进入其中的每一个,并仅使用用户角色(而不是管理员)将图像添加到每个配置文件。我只想为我自己的个人资料做到这一点,并且实际上只能阅读其他个人资料页面(减去添加照片链接)。我的代码如下:

   class Ability
  include CanCan::Ability

  def initialize(user)
    # Define abilities for the passed in user here. For example:
    #


       user ||= User.new # guest user (not logged in)
       if user.has_role? :user
       can :read, User
       can [:new, :create] , Photo, user_id: user.id
       end
  end

class UsersController < ApplicationController

      before_filter :authenticate_user!


      def index
        @users = User.all
      end

        def show
          @user = User.find(params[:id])
          @photo = Photo.new(params[:user_id])
        end
    end

经授权编辑控制器!

class PhotosController < ApplicationController
  before_filter :authenticate_user!

  def new

    @photo = Photo.new(:user_id => params[:user_id])
    authorize! :new, @photo
  end

  def create

    @photo = Photo.new(params[:photo])
    if @photo.save
      flash[:notice] = "Successfully created photo."
      redirect_to @photo.user
    else
      render :action => 'new'
    end
    authorize! :create, @photo
  end

  def edit
    @photo = Photo.find(params[:id])
  end

  def update
    @photo = Photo.find(params[:id])
    authorize! :update, @user
    if @photo.update_attributes(params[:photo])
      flash[:notice] = "Successfully updated photo."
      redirect_to @photo.user
    else
      render :action => 'edit'
    end
  end

  def destroy
    authorize! :destroy, @user
    @photo = Photo.find(params[:id])
    @photo.destroy
    flash[:notice] = "Successfully destroyed photo."
    redirect_to @photo.user
  end
end

ActiveRecord::Schema.define(:version => 20130512100231) do

  create_table "photos", :force => true do |t|
    t.datetime "created_at", :null => false
    t.datetime "updated_at", :null => false
    t.string   "image"
    t.integer  "user_id"
  end

  create_table "posts", :force => true do |t|
    t.string   "title"
    t.text     "body"
    t.datetime "created_at", :null => false
    t.datetime "updated_at", :null => false
  end

  create_table "roles", :force => true do |t|
    t.string   "name"
    t.integer  "resource_id"
    t.string   "resource_type"
    t.datetime "created_at",    :null => false
    t.datetime "updated_at",    :null => false
  end

  add_index "roles", ["name", "resource_type", "resource_id"], :name => "index_roles_on_name_and_resource_type_and_resource_id"
  add_index "roles", ["name"], :name => "index_roles_on_name"

  create_table "users", :force => true do |t|
    t.string   "email",                  :default => "", :null => false
    t.string   "encrypted_password",     :default => "", :null => false
    t.string   "reset_password_token"
    t.datetime "reset_password_sent_at"
    t.datetime "remember_created_at"
    t.integer  "sign_in_count",          :default => 0
    t.datetime "current_sign_in_at"
    t.datetime "last_sign_in_at"
    t.string   "current_sign_in_ip"
    t.string   "last_sign_in_ip"
    t.datetime "created_at",                             :null => false
    t.datetime "updated_at",                             :null => false
    t.string   "name"
    t.string   "avatar"
    t.string   "image"
  end

  add_index "users", ["email"], :name => "index_users_on_email", :unique => true
  add_index "users", ["reset_password_token"], :name => "index_users_on_reset_password_token", :unique => true

  create_table "users_roles", :id => false, :force => true do |t|
    t.integer "user_id"
    t.integer "role_id"
  end

  add_index "users_roles", ["user_id", "role_id"], :name => "index_users_roles_on_user_id_and_role_id"

end
4

1 回答 1

2

这就是 CanCan 的用途。你已经安装了它,但你还没有配置它。

can :manage, Photo, user_id: user.id

另见:手册

此外,您需要确保authorize!在您希望限制访问的每个控制器操作中调用。例如:

authorize! :create, @photo

我更喜欢使用authorize_resourceload_and_authorize_resource确保我没有错过任何操作,但仅使用authorize!将需要对您的代码进行最少的更改。

于 2013-05-12T16:55:44.080 回答