Gem cancan 访问权限问题

easonlovewan · April 04, 2016 · Last by jasonliu replied at April 04, 2016 · 2478 hits

rails s 启动项目时候默认访问地址是 localhost:3000 例如：本机 ip 为 192.168.8.8 我现在执行:rails s -b 192.168.8.8 现在可以通过:192.168.8.8:3000 指定了通过本机 ip 访问可是报了如下错误: 不知道这是 cancan 默认设置的问题还是哪出问题了？报了一个没有权限的 error［第一次用 cancan 求大神指点!!!］ ability.rb 代码如下：

class Ability
    include CanCan::Ability
    def initialize(user)
        if user.nil?
            cannot :manage, :all
        elsif user.genre == 1 or user.genre == 2 or user.genre == 3
            can :manage, :all
        else
            cannot :manage, :all
        end
    end
end

users_controller.rb 如下：

# coding: utf-8
class Admin::UsersController < Admin::BaseController

  before_action :find_user, only: [:edit, :update, :password, :change_password, :destroy]

  def index
  end

  def new
    @user = User.new
  end

  def edit
  end

  def create
    @user = User.new(user_params)
    if @user.save
      redirect_to admin_users_url, notice: '新建成功！'
    else
      render :new
    end
  end

  def update
    get_user_params = user_params
    get_user_params.except!(:password, :password_confirmation) if user_params[:password].blank? && user_params[:password_confirmation].blank?
    if @user.update(get_user_params)
      redirect_to admin_users_url, notice: '更新成功！'
    else
      render :edit
    end
  end

  def password
    render json: @user
  end

  def change_password
    if @user.update(user_params)
      redirect_to "/admin/users"
    else
      redirect_to "/admin/users"
    end
  end

  def destroy
    @user.state? ? @user.update(state: false) : @user.update(state: true)
    redirect_to admin_users_url
  end

  private

  def find_user
    @user = User.find(params[:id])
  end

  def user_params
    params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, :username, :user_pic , :genre, :description, :phone, :phone_verify, :private_token, :weibo_uid, :qq_uid, :wechat_uid, :twitter_uid, :message_count ,:background_image_pic , :source , :_alias , :comments_push_switch , :praises_push_switch , :letter_push_switch , :letter_count, :address, :status)
  end
end

base_controller.rb 如下：

# coding: utf-8
class Admin::BaseController < ApplicationController
  layout 'admin'
  before_filter :authenticate_user!
  authorize_resource

  private

  def current_ability
    @current_ability ||= AdminAbility.new(current_user)
  end

end

jasonliu #0 April 04, 2016

首先建议使用 cancancan，其次把你 ability.rb 和 user controller 的代码贴出来，你这里提供的信息太少了。

easonlovewan #1 April 04, 2016

@jasonliu code 贴出来了，user_controller 里边儿没东西，正常的 crud 操作

Rei #2 April 04, 2016

#2 楼 @easonlovewan 我不信那里没东西。

easonlovewan #3 April 04, 2016

#3 楼 @rei 😳贴出来了

Rei #4 April 04, 2016

#4 楼 @easonlovewan 看 Admin::BaseController

jasonliu #5 April 04, 2016

根据你的 ability.rb 的定义，你的当前 user 要么不存在，要么 genre 不在 1，2，3 的范围内，最好是在 index 方法里面把 current_user 的信息打印出来

jasonliu #6 April 04, 2016

个人猜测你当前并没有处于登陆状态，所以 user 是 nil，因此没有任何操作权限。

官方文档已经告诉你 current user 会传递到 initialize 方法，如果处于未登陆状态，你只有创建一个 guest user。

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    if user.admin?
      can :manage, :all
    else
      can :read, :all
    end
  end
end

You need to Sign in before reply, if you don't have an account, please Sign up first.