0

我对 Rails 很陌生,我现在正在开发我的第一个 Rails 应用程序,所以这对某些人来说可能是一个愚蠢的问题。如果他们不是管理员,我想让 current_user 只看到他们自己的订单。我能够设置只有管理员可以查看所有订单,但我很难让当前用户只能查看、列出和删除他们自己的订单。我的应用程序有一个:orders模型belongs_to :users和一个:users模型has_many :orders

这就是我的 orders_controller.rb 的样子:

class OrdersController < ApplicationController
  before_action :set_order, only: [:show, :edit, :update, :destroy]

  # GET /orders
  # GET /orders.json
  def index
    authorize! :index, @user, :message => 'Not authorized as an administrator.'
    @orders = Order.all
  end

  # GET /orders/1
  # GET /orders/1.json
  def show
  end

  # GET /orders/new
  def new
    @order = Order.new
  end

  # GET /orders/1/edit
  def edit
  end

  # POST /orders
  # POST /orders.json
  def create
    @order = Order.new(order_params)

    respond_to do |format|
      if @order.save
        format.html { redirect_to @order, notice: 'Order was successfully created.' }
        format.json { render action: 'show', status: :created, location: @order }
      else
        format.html { render action: 'new' }
        format.json { render json: @order.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /orders/1
  # PATCH/PUT /orders/1.json
  def update
    respond_to do |format|
      if @order.update(order_params)
        format.html { redirect_to @order, notice: 'Order was successfully updated.' }
        format.json { head :no_content }
      else
        format.html { render action: 'edit' }
        format.json { render json: @order.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /orders/1
  # DELETE /orders/1.json
  def destroy
    @order.destroy
    respond_to do |format|
      format.html { redirect_to orders_url }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_order
      @order = Order.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    def order_params
      params.require(:order).permit(:user_id, :drop_address)
    end
end

我的问题是如何只允许当前用户列出和查看他们下的所有订单?

谢谢

4

2 回答 2

3

有一颗名为cancan的宝石为您服务。请阅读维基页面。需要更多帮助?让我知道 :)

定义能力

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.admin?
      can :manage, :all
    else
      can :read, Order, :user_id => user.id
    end
  end
end

来自accessible_by的控制器查询

@orders = Order.accessible_by(current_ability)
于 2013-11-10T10:37:56.087 回答
1

  1. 你必须在两个层面上做到这一点。在索引中,您必须为当前用户获取订单,以便用户只能看到他的订单。第二级是您确保用户可以输入不属于他的订单网址,因此请在其他操作(编辑、更新、删除、显示)中检查。

  2. 或者您可以使用声明性授权 gem。这非常有帮助https://github.com/stffn/declarative_authorization

-提示:对于命名约定,将belongs_to :users 更改为belongs_to :user (belongs_to 总是单数)

这就是您的控制器的外观

#this is the filter called before each method to make sure the user is authorized to access the order
before_filter :authorize_user, :only => [:edit,:update,:delete,:show]

def index
  authorize! :index, @user, :message => 'Not authorized as an administrator.'
  #here fetch the orders of the current user only
  @orders = current_user.orders
end

#and then goes all your methods here as normal 

private 

def authorize_user
  unless current_user.eql?(@order.user)
    flash[:notice]="You are not authorized to access this order"
    redirect_to orders_path 
  end
end
于 2013-11-10T10:34:55.317 回答