cancan | 易学教程

ActiveModel::ForbiddenAttributesError + cancan + rails 4 + model with scoped controller

阅读更多关于 ActiveModel::ForbiddenAttributesError + cancan + rails 4 + model with scoped controller

I m using cancan(1.6.10) with rails 4.0.0. I have a model called 'App'(not scoped) and a controller Admin::AppsController(its scoped. ie app/controllers/admin/apps_controller). the controller code is as class Admin::AppsController < ApplicationController before_filter :authenticate_user! load_and_authorize_resource class: App def index end #CRUD methods and some other custom methods ... private def app_params params.require(:app).permit(:name, :description, :author, :url_path, :validated, :active, :version) end end I m getting error when i try to create a 'app'. ActiveModel:

Rspec, CanCan and Devise

阅读更多关于 Rspec, CanCan and Devise

问题 I am starting a project and i would like to be able to test everything :) And i have some problems with CanCan and devise. For exemple, I have a controller Contacts. Everybody can view and everybody (excepts banned people) can create contact. #app/controllers/contacts_controller.rb class ContactsController < ApplicationController load_and_authorize_resource def index @contact = Contact.new end def create @contact = Contact.new(params[:contact]) if @contact.save respond_to do |f| f.html {

CanCan difference between :read and [:index, :show]?

阅读更多关于 CanCan difference between :read and [:index, :show]?

问题 According to all documentation, the :read action is aliased to both :index and :show : alias_action :index, show, :to => :read However, consider the following scenario with nested resources: resources :posts resources :comments end If I define abilities like this: # ability.rb can :read, Post can :show, Comment # comments_controller.rb load_and_authorize_resource :organization, :find_by => :permalink load_and_authorize_resource :membership, :through => :organization things work as expected.

Rails_admin: Should I have admin_user or user with admin role to manage users and admin panel

阅读更多关于 Rails_admin: Should I have admin_user or user with admin role to manage users and admin panel

In my rails application website visitors can sign up and create content. It uses devise with user model and everything works well. Now I want to use rails_admin for managing website resources and users etc and only people with administrative previllages should be able to access it. Should I create a separate AdminUser model for admin panel access or use User model with role of admin, and use some authorization library to manage access. If I user only one model then I want users to be redirected to admin panel after signin if user is admin and if not then I want user to be redirected to their

CanCan::Ability where is the current_user method defined?

阅读更多关于 CanCan::Ability where is the current_user method defined?

问题 Pretty much what I have mentioned in the title. I am using CanCan::Ability in my code to check permissions and abilities. It expects a current_user method to be defined. I am guessing it comes from devise (but not sure), and I wish to override it. Whats the best way to do that? 回答1: It's found here in the source code. It's nothing to do with devise, though. The documentation is found above the method and describes overwriting it. 回答2: current_user is implemented by devise in this eval'ed

Passing params to CanCan in RoR

阅读更多关于 Passing params to CanCan in RoR

I have a controller with a method like; def show if params[:format].eql?("pdf") // do something elsif params[:format].eql?("csv") // do something end end But i have users with different roles. So i use CanCan to manage access control. Now i want X role can do the action show in controller iff params[:format].eql?("csv") I think it can be like ; can :show, resource if params[:format].eql?("csv") . So how can i send parameters to ability.rb? Any idea? Thanks. cailinanne In ApplicationController add the following: # CanCan - pass params in to Ability # https://github.com/ryanb/cancan/issues/133

Rails cancan and State Machine - Authorizing states

阅读更多关于 Rails cancan and State Machine - Authorizing states

问题 I've been using the two awesome gems, state_machine and cancan recently in my rails application but I'm curious as to the best way to integrate them cleanly. Currently I've placed state transitions on buttons that go on actions authorized by the controller. This works perfectly, I can restrict who can perform that action. I would like to give the user the ability to change the objects state in the edit form as well. I've noticed that state_machine will pick up on the state_event key in the

How to join mutli-role, multi organisation tables in Rails

阅读更多关于 How to join mutli-role, multi organisation tables in Rails

问题 I'm trying to find a solution to a rails design that isn't all that obvious to me. A friend who is very good with this stuff has given me his take on it, but I wondered if there is a rails pattern - the knowledge I'm missing is how rails creates the relationship… I have a problem space like this. Users can perform more than one role at more than one organisation. So for example, a user can be both a "Standard User" and an "Power User" at Organisation 1, but an "Admin" at Organisation 2. I'm

Cancan Thinking Sphinx current_ability Questions

阅读更多关于 Cancan Thinking Sphinx current_ability Questions

trying to get cancan working with thinking sphinx but running into some issues. Before using sphinx, I had this in my companies view: @companies = Company.accessible_by(current_ability) That prevented my users from seeing anyone else's companies... After installing sphinx, I ended up with: @companies = Company.accessible_by(current_ability).search(params[:search], :include => :order, :match_mode => :extended ).paginate(:page => params[:page]) Which now displays all my companies and isn't refining per user based on ability. It would see ts isn't set up for cancan? I think it's more that

How do I use cancan to authorize an array of resources?

阅读更多关于 How do I use cancan to authorize an array of resources?

I have a non-restful controller that I am trying to use the cancan authorize! method to apply permissions to. I have a delete_multiple action that starts like so def delete_multiple @invoices = apparent_user.invoices.find(params[:invoice_ids]) I want to check that the user has permission to delete all of these invoices before proceeding. If I use authorize! :delete_multiple, @invoices permission is refused. My ability.rb includes the following if user.admin? can :manage, :all elsif user.approved_user? can [:read, :update, :destroy, :delete_multiple], Invoice, :user_id => user.id end Is it a