问题
What is wrong with this code? A normal user still being able to see all relatos, when he should only see his own.
My view code:
<% if can? :read, Relato %>
<td><%= relato.id %></td>
<td><%= relato.cliente.name %></td>
<td><%= relato.projeto.name %></td>
<td><%= relato.local.logra %></td>
<td><%= relato.time %></td>
<td><%= relato.comment %></td>
<% end %>
My Ability class:
can :manage, :all if user.role == "admin"
if user.role == "normal"
can :read, Relato , :user_id => user.id
can :manage, Relato, :user_id => user.id
end
回答1:
You need to authorize the user for a particular instance:
<%= if can? :read, relato %>
When you attempt to authorize a user for an entire class, as you do above, CanCanCan ignores any conditions defined in the Ability because it can't determine a user_id field for the entire Relato model; it can only do so for a single relato instance.
来源:https://stackoverflow.com/questions/31861704/ror-cancancan-authorize-only-user-created-items