alias_action :index,show,:to => :read
但是,请考虑使用嵌套资源的以下场景:
resources :posts resources :comments end
如果我定义这样的能力:
# ability.rb can :read,Post can :show,Comment # comments_controller.rb load_and_authorize_resource :organization,:find_by => :permalink load_and_authorize_resource :membership,:through => :organization
事情按预期工作.但是,如果我将:read操作更改为[:index,:show]:
# ability.rb can [:index,:show],:through => :organization
我未经授权访问/ posts /:post_id / comments,/ posts /:post_id / comments /:id等.但是我仍然可以访问:index和:show for posts_controller.
如果这些动作的行为有所差异,那么这些动作可能是“别名”
在我的迷茫中,我也遇到了以下.将load_and_authorize_resource更改为以下允许的访问权限:
# ability.rb can [:index,Comment # comments_controller.rb load__resource :organization,:through => :organization
有人可以解释这里发生了什么吗?
解决方法
Both the
:indexand:showactions
point to the:readaction. But when
CanCan authorizes a parent resource it
uses the:readaction directly which
is why you’re seeing this behavior.I think this has caused confusion
before,so I will change the internal
behavior to never use the:read
action directly. Instead of a
:parentresource I’ll change it to
use:showand for the
accessible_bydefault I will use
:indexinstead of:read. Thanks
for bringing this to my attention.
