2

我的控制器中有以下附件

  def upload

    @attachment = Attachment.build(:swf_uploaded_data => params[:attachment][:attachment], :user_id => current_user.id, :project_id => params[:space_id])
....
    end

我希望 CanCan 只允许用户上传到他们所属的 project_id。我确认控制器正在获取正确的信息,没有零

这是我的康康舞:

can :upload, Attachment do |attachment|
  Rails.logger.info 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX- include CanCan::Ability - ATTACHMENT'  
  Rails.logger.info attachment.inspect
  Rails.logger.info attachment.project

  current_user.try(:role, attachment.space)
end

这里的问题,是那个附件。是零,attachment.project 是零?您如何使用 CanCan 解决此问题,以便确保只有项目团队成员才能将附件上传到项目中?

谢谢

4

2 回答 2

5

我认为最好的authorize!方法是使用 Controller 操作的方法在较低级别上执行此操作。

所以 ...

#AttachmentController

#Will remove it from cancan
load_and_authorize_resource :except => [:upload]

def upload
 @attachment = Attachment.build(:swf_uploaded_data => params[:attachment][:attachment], :user_id => current_user.id, :project_id => params[:space_id])
  #add the authorize logic explicitly here when you have the attachment model populated
  authorize! :upload, @attachment
end

让我知道这是否适合你。

于 2010-12-03T21:24:24.153 回答
0

例如,如果您只想允许为当前循环创建事件:

你在视图中使用

link.... if can? :create, @loop.events.new

然后在控制器中

skip_authorize_resource only: [:new, :create]

...

def new
   @event.loop_id = @loop.id
   authorize! :create, @event
end

#similar for create action
于 2012-07-09T13:03:35.647 回答