新手问题 devise::如何阻止不同的用户访问其他用户的 “域”? 是这样称呼吗?

1272729223 · 2012年08月05日 · 最后由 1272729223 回复于 2012年08月05日 · 2476 次阅读

现在的情况是, 我创建多个不同的身份,然后发布博客,但是每个用户都可以访问其他用户发布的博客,可以编辑,删除。

如何阻止这种情况?

另外发布博客的时间和by current user这样的署名怎么弄?

共收到 6 条回复

我用的devise+cancan:

#models/ability.rb

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)

    can :manage, :all if user.is? :admin
    can :manage, :all if user.is? :default
 end

end

#models/user.rb

class User < ActiveRecord::Base
  rolify
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable

  attr_accessible :name, :email, :password, :password_confirmation, :remember_me, :roles

  ROLES = %w[admin default banned]

  def is?(role)
    roles.include(tole.to_s)
  end


end

#controllers/articles_controller.rb

class ArticlesController < ApplicationController
  load_and_authorize_resource :except => [:index, :show]

end

#db/migrate/20120804202523_add_role_to_users.rb

class AddRoleToUsers < ActiveRecord::Migration
  def change
    add_column :users, :role, :string
  end
end

#db/schema.rb

# encoding: UTF-8

ActiveRecord::Schema.define(:version => 20120804202523) do

  create_table "roles", :force => true do |t|
    t.string   "name"
    t.integer  "resource_id"
    t.string   "resource_type"
    t.datetime "created_at",    :null => false
    t.datetime "updated_at",    :null => false
  end

  add_index "roles", ["name", "resource_type", "resource_id"], :name => "index_roles_on_name_and_resource_type_and_resource_id"
  add_index "roles", ["name"], :name => "index_roles_on_name"

  create_table "users", :force => true do |t|
    t.string   "email",                  :default => "", :null => false
    t.string   "encrypted_password",     :default => "", :null => false
    t.string   "reset_password_token"
    t.datetime "reset_password_sent_at"
    t.datetime "remember_created_at"
    t.integer  "sign_in_count",          :default => 0
    t.datetime "current_sign_in_at"
    t.datetime "last_sign_in_at"
    t.string   "current_sign_in_ip"
    t.string   "last_sign_in_ip"
    t.datetime "created_at",                             :null => false
    t.datetime "updated_at",                             :null => false
    t.string   "name"
    t.string   "role"
  end

  add_index "users", ["email"], :name => "index_users_on_email", :unique => true
  add_index "users", ["reset_password_token"], :name => "index_users_on_reset_password_token", :unique => true

  create_table "users_roles", :id => false, :force => true do |t|
    t.integer "user_id"
    t.integer "role_id"
  end

  add_index "users_roles", ["user_id", "role_id"], :name => "index_users_roles_on_user_id_and_role_id"

end

#views/articles/index.html.erb


<ul class="clearfix">
  <% if can? :update, @article %>
  <li class="clearfix"><%= link_to 'Edit', edit_article_path(@article) %></li>
  <% end %>
  <% if can? :destroy, @article %>
  <li class="clearfix"><%= link_to 'Destroy', @article, method: :delete, data: {confirm: 'Are you sure?'} %></li>
  <% end %>
</ul>


#views/articles/show.html.erb

<ul class="clearfix">
  <% if can? :update, @article %>
  <li class="clearfix"><%= link_to 'Edit', edit_article_path(@article) %></li>
  <% end %>
  <% if can? :destroy, @article %>
  <li class="clearfix"><%= link_to 'Destroy', @article, method: :delete, data: {confirm: 'Are you sure?'} %></li>
  <% end %>
</ul>

现在的情况是,除了user1(估计是admin)拥有所有权限,其他身份的用户登陆之后都不能创建新的article, 显示You are not authorized to access this page.,而且也无法访问了之前由他自己发布的article的edit,destroy功能, 等于是完全变成浏览者的身份了.

cancan可以这样:

can :manage, Post, :user_id => user.id

#2楼 @bony undefined method `user_id' for #Article:0x007f8ed88c8f48 哪个地方出错了?

现在可以确定的是 我的default角色的user没有:manage的权限,不知道哪里出错

你的Post表有user_id吗?

在20120804162920_devise_create_users.rb里面看到没有:

class DeviseCreateUsers < ActiveRecord::Migration
  def change
    create_table(:users) do |t|
      ## Database authenticatable
      t.string :email,              :null => false, :default => ""
      t.string :encrypted_password, :null => false, :default => ""

      ## Recoverable
      t.string   :reset_password_token
      t.datetime :reset_password_sent_at

      ## Rememberable
      t.datetime :remember_created_at

      ## Trackable
      t.integer  :sign_in_count, :default => 0
      t.datetime :current_sign_in_at
      t.datetime :last_sign_in_at
      t.string   :current_sign_in_ip
      t.string   :last_sign_in_ip

      ## Confirmable
      # t.string   :confirmation_token
      # t.datetime :confirmed_at
      # t.datetime :confirmation_sent_at
      # t.string   :unconfirmed_email # Only if using reconfirmable

      ## Lockable
      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
      # t.string   :unlock_token # Only if unlock strategy is :email or :both
      # t.datetime :locked_at

      ## Token authenticatable
      # t.string :authentication_token


      t.timestamps
    end

    add_index :users, :email,                :unique => true
    add_index :users, :reset_password_token, :unique => true
    # add_index :users, :confirmation_token,   :unique => true
    # add_index :users, :unlock_token,         :unique => true
    # add_index :users, :authentication_token, :unique => true
  end
end

但是在shema.rb里面看到这些:

ActiveRecord::Schema.define(:version => 20120804202523) do

  create_table "articles", :force => true do |t|
    t.string   "title"
    t.text     "content"
    t.datetime "created_at", :null => false
    t.datetime "updated_at", :null => false
  end

  create_table "roles", :force => true do |t|
    t.string   "name"
    t.integer  "resource_id"
    t.string   "resource_type"
    t.datetime "created_at",    :null => false
    t.datetime "updated_at",    :null => false
  end

  add_index "roles", ["name", "resource_type", "resource_id"], :name => "index_roles_on_name_and_resource_type_and_resource_id"
  add_index "roles", ["name"], :name => "index_roles_on_name"

  create_table "users", :force => true do |t|
    t.string   "email",                  :default => "", :null => false
    t.string   "encrypted_password",     :default => "", :null => false
    t.string   "reset_password_token"
    t.datetime "reset_password_sent_at"
    t.datetime "remember_created_at"
    t.integer  "sign_in_count",          :default => 0
    t.datetime "current_sign_in_at"
    t.datetime "last_sign_in_at"
    t.string   "current_sign_in_ip"
    t.string   "last_sign_in_ip"
    t.datetime "created_at",                             :null => false
    t.datetime "updated_at",                             :null => false
    t.string   "name"
    t.string   "role"
  end

  add_index "users", ["email"], :name => "index_users_on_email", :unique => true
  add_index "users", ["reset_password_token"], :name => "index_users_on_reset_password_token", :unique => true

  create_table "users_roles", :id => false, :force => true do |t|
    t.integer "user_id"
    t.integer "role_id"
  end

  add_index "users_roles", ["user_id", "role_id"], :name => "index_users_roles_on_user_id_and_role_id"

end

不太弄的明白

需要 登录 后方可回复, 如果你还没有账号请点击这里 注册