8

我有嵌套在用户资源中的项目资源。

我的康康能力课是:

class Ability
  include CanCan::Ability
  def initialize(user)
    #everyone
    can :read, Project

    if user.blank? 
      # guest user
      ...
    else
      #every signed in user

      case user.role
        when User::ROLES[:admin] 
          #only admin role user
          can :manage, :all

        when User::ROLES[:member] 
          #only member role user
          can :update, User, :id => user.id
          can [:create, :update, :destroy], Project, :user_id => user.id
        else

      end
    end
  end
end

和项目控制器:

class ProjectsController < ApplicationController
  load_and_authorize_resource :user
  load_and_authorize_resource :projects, :through => :user, :shallow => true
  ...
end

我有几个问题:

是否可以拒绝:读取用户并允许:读取项目,以便每个人都可以访问 /users/10/projects,但不能访问 /users/10 或 /users?

如何拒绝用户访问:使用其他 user_id 的新操作?例如,如果我添加

#everyone
can :read, User
can :read, Project

此代码允许 id 为 42 的用户访问 /user/41/projects/new。

4

1 回答 1

11

通过这样做解决了它:

class Ability
  include CanCan::Ability

  def initialize(user)
    #everyone
    can :read, Project

    can :read, User # required to access nested resources
    cannot :index, User
    cannot :show, User

    if user.blank? 
      # guest user
      ...
    else
      #every signed in user

      case user.role
        when User::ROLES[:admin] 
          #only admin role user
          can :manage, :all

        when User::ROLES[:member] 
          #only member role user
          can :update, User, :id => user.id
          can :manage, Project, :user => { :id => user.id }
        else

      end
    end
  end
end
于 2010-10-22T08:55:12.193 回答