ruby-on-rails – CanCan区别:read和[:index,:show]?

前端之家收集整理的这篇文章主要介绍了ruby-on-rails – CanCan区别:read和[:index,:show]?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
根据所有文档,读取操作都被别名为:index和:show:
alias_action :index,show,:to => :read

但是,请考虑使用嵌套资源的以下场景:

resources :posts
  resources :comments
end

如果我定义这样的能力:

# ability.rb
can :read,Post
can :show,Comment

# comments_controller.rb
load_and_authorize_resource :organization,:find_by => :permalink
load_and_authorize_resource :membership,:through => :organization

事情按预期工作.但是,如果我将:read操作更改为[:index,:show]:

# ability.rb
can [:index,:show],:through => :organization

我未经授权访问/ posts /:post_id / comments,/ posts /:post_id / comments /:id等.但是我仍然可以访问:index和:show for posts_controller.

如果这些动作的行为有所差异,那么这些动作可能是“别名”

在我的迷茫中,我也遇到了以下.将load_and_authorize_resource更改为以下允许的访问权限:

# ability.rb
can [:index,Comment

# comments_controller.rb
load__resource :organization,:through => :organization

有人可以解释这里发生了什么吗?

解决方法

我在GitHub上发布了这个问题.瑞恩回答说:

Both the :index and :show actions
point to the :read action. But when
CanCan authorizes a parent resource it
uses the :read action directly which
is why you’re seeing this behavior.

I think this has caused confusion
before,so I will change the internal
behavior to never use the :read
action directly. Instead of a
:parent resource I’ll change it to
use :show and for the
accessible_by default I will use
:index instead of :read. Thanks
for bringing this to my attention.

https://github.com/ryanb/cancan/issues/302#comment_863142

猜你在找的Ruby相关文章