根据所有文档,:read操作被别名为:index和:show:
alias_action :index, show, :to => :read
但是,请考虑以下带有嵌套资源的情况:
resources :posts
resources :comments
end
如果我这样定义能力:
# ability.rb
can :read, Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
事情按预期进行。但是,如果我将
:read操作更改为[:index,:show]:# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
我无权访问
/posts/:post_id/comments,/posts/:post_id/comments/:id等。但是,我仍然可以访问:index的:show和posts_controller。如果它们的行为不同,怎么可能“混淆”这些行为?
在摆弄我的同时,我还遇到了以下问题。将
load_and_authorize_resource更改为以下允许的访问:# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
有人可以解释这是怎么回事吗?
最佳答案
我将此作为问题发布在GitHub上。瑞安回应如下:
Both the
:indexand:showactions point to the:readaction. But when CanCan authorizes a parent resource it uses the:readaction directly which is why you're seeing this behavior.I think this has caused confusion before, so I will change the internal behavior to never use the
:readaction directly. Instead of a:parentresource I'll change it to use:showand for theaccessible_bydefault I will use:indexinstead of:read. Thanks for bringing this to my attention.
https://github.com/ryanb/cancan/issues/302#comment_863142
关于ruby-on-rails - CanCan之间的区别:read and [:index, :show]?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5280781/