根据所有文档,:read
操作被别名为:index
和:show
:
alias_action :index, show, :to => :read
但是,请考虑以下带有嵌套资源的情况:
resources :posts
resources :comments
end
如果我这样定义能力:
# ability.rb
can :read, Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
事情按预期进行。但是,如果我将
:read
操作更改为[:index,:show]:# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
我无权访问
/posts/:post_id/comments
,/posts/:post_id/comments/:id
等。但是,我仍然可以访问:index
的:show
和posts_controller
。如果它们的行为不同,怎么可能“混淆”这些行为?
在摆弄我的同时,我还遇到了以下问题。将
load_and_authorize_resource
更改为以下允许的访问:# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
有人可以解释这是怎么回事吗?
最佳答案
我将此作为问题发布在GitHub上。瑞安回应如下:
Both the
:index
and:show
actions point to the:read
action. But when CanCan authorizes a parent resource it uses the:read
action directly which is why you're seeing this behavior.I think this has caused confusion before, so I will change the internal behavior to never use the
:read
action directly. Instead of a:parent
resource I'll change it to use:show
and for theaccessible_by
default I will use:index
instead of:read
. Thanks for bringing this to my attention.
https://github.com/ryanb/cancan/issues/302#comment_863142
关于ruby-on-rails - CanCan之间的区别:read and [:index, :show]?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5280781/