cancan

问题 I have the following abilities model: class Ability include CanCan::Ability def initialize(user) user ||= User.new # guest user, not logged in. if user.role? == :admin can :manage, :all else can :read, :all end if user.role == "default" can :create, Homescreen end can :destroy, Homescreen do |homescreen| homescreen.try(:user) == user end end end And I have the following users model: class User < ActiveRecord::Base devise :database_authenticatable, :registerable, :recoverable, :rememberable,

问题 I have two tables Users (name, email, password, instance_id, etc...) example: james bond, james@abc.com, 1 Instance (id, domain) example: 1, abc.com Through out the application I want to make sure James Bond only sees data that is assigned to his instance = 1 So if I have a books table with (name, desc, instance_id), he only sees his instance's books. I'm told CanCan is the way to go for this but I don't see how to make something set globally like the above, it seems more role based like

问题 I want only the people who created an object e.g. a registry to see something =, but struggling to define everything with Devise Here is the code: <% if user_signed_in? && ***"current_user = registry the user created?"?(struggling with the second part)*** %> Thanks in advance P.S. I'm using cancan, but this will not help in my show page where I want to show page. 回答1: This is not part of devise but of cancan. You need to define the ability inside your cancan ability file: user ||= User.new

问题 If a user is logged in with a specific role - vendor - they should only see items that they have created in their store. They should not be able to see products from other vendors. So I am trying to do this in my authorization (using Devise, CanCan, Rolify). I tried this: user ||= User.new # guest user (not logged in) if user.has_role? :vendor can :dashboard can :manage, [Product, Vendor], :vendor_id => user.id can :view, [Product], :vendor_id => user.id end But....haven't had much luck with

问题 in my rails app (I use devise and cancan), each (registered) user belongs to exactly one role ('Administrator' or 'Users') but to at least one group (something like 'Family', 'Friends', 'Co-workers'). At runtime, when a new folder (see below) is created, a habtm relation to one or many groups can be set, which defines who can access the folder. Selecting no group at all should result in a world-wide accessible folder (i.e. users do not have to be logged in to access these folders). But right

问题 I'm using the mailboxer gem for conversations/messages between the User model in my app. This is all working fine, thanks to some great help in stack overflow. I'm now trying to setup a section so admin can view all the conversations that are happening. I have created a controller and view for conversations, nested in my admin section. I've pulled in all conversations on the index page with: def index @admin_conversations = Conversation.all end This has listed all the conversations, and a

问题 So this is the authorization code I wrote based on Railscast #386. The problem is that the block works on all controllers except for user_controller . In other words, any user can triger edit and update actions on any other user, even though the block given to it is the same as that of favors edit and update actions. def initialize(user) allow :users, [:new, :create, :show] allow :sessions, [:new, :create, :destroy] allow :favors, [:index, :show] if user allow :users, [:edit, :update] do |usr

问题 I have a model with a statemachine and i want to limit different states/events/transitions to different users. How can i access current user and ability in this model? 回答1: You can define abilities in cancan against any methods provided by the model. State machine transitions are themselves methods provided by the model, so just set up your abilities as you would for any other methods. For example, given a simple model: class Order < ActiveRecord::Base state_machine :initial => :new do event

问题 I'm having the exact same issue as described on this thread: Rails 5 only_deleted with cancancan #356 I can access a deleted record, like this: @area = Area.only_deleted.find(params[:id]) but if I add load_and_authorize_resource to my controller, it'll attempt to run the query like this: @area = Area.find(params[:id]) which will result in error since it won't find a record with that id on a collection where deleted_at isn't null (not deleted records, the purpose of the Paranoia gem). If I

问题 I am trying to filter the index according to the ability. I am using the wice_grid gem to make a table in the index, and to add a condition to tickets, we could use something called :conditions. I have tried to put it like that: @tickets_grid = initialize_grid(Ticket, :include => [:user, :employee_department, :state], :conditions => [Ticket.accessible_by(current_ability)]) This is not working, though. I'm looking for any suggestions. Update: :conditions is working like ActiveRecord so I guess