为用户从头Railscast授权 - Railscast authorization from scratch for users

- 此内容更新于:2016-02-01
主题:

这是我写的授权代码基于Railscast#386。问题是,阻止所有控制器除了工作。换句话说,任何用户可以在任何其他用户三角和行动,即使块给它一样喜欢编辑和更新操作。任何帮助都是高度赞赏:)

原文:

So this is the authorization code I wrote based on Railscast #386.

The problem is that the block works on all controllers except for user_controller. In other words, any user can triger edit and update actions on any other user, even though the block given to it is the same as that of favors edit and update actions.

def initialize(user)
    allow :users, [:new, :create, :show]
    allow :sessions, [:new, :create, :destroy]
    allow :favors, [:index, :show]
    if user
      allow :users, [:edit, :update] do |usr|
        usr.id == user.id
      end
      allow :favors, [:new, :create]
      allow :favors, [:edit, :update] do |favor|
        favor.user_id == user.id
      end
      allow :acceptances, [:create, :update] do |acceptance|
        !acceptance.has_accepted_acceptance?
      end
    end
  end

Any help is highly appreciated :)

网友:可以在YouTube上对那些没有RailsCasts订阅

(原文:It is available on YouTube for anyone who doesn't have a RailsCasts subscription)

网友:你授权的用户控制器吗?

(原文:Are you authorizing the @user in the users controller?)