根据所有文档,读取操作都被别名为:index和:show:
alias_action :index,show,:to => :read@H_502_4@但是,请考虑使用嵌套资源的以下场景:
resources :posts resources :comments end@H_502_4@如果我定义这样的能力:
# ability.rb can :read,Post can :show,Comment # comments_controller.rb load_and_authorize_resource :organization,:find_by => :permalink load_and_authorize_resource :membership,:through => :organization@H_502_4@事情按预期工作.但是,如果我将:read操作更改为[:index,:show]:
# ability.rb can [:index,:show],:through => :organization@H_502_4@我未经授权访问/ posts /:post_id / comments,/ posts /:post_id / comments /:id等.但是我仍然可以访问:index和:show for posts_controller. @H_502_4@如果这些动作的行为有所差异,那么这些动作可能是“别名” @H_502_4@在我的迷茫中,我也遇到了以下.将load_and_authorize_resource更改为以下允许的访问权限:
# ability.rb can [:index,Comment # comments_controller.rb load__resource :organization,:through => :organization@H_502_4@有人可以解释这里发生了什么吗?
解决方法
我在GitHub上发布了这个问题.瑞恩回答说:
@H_502_4@Both the@H_502_4@https://github.com/ryanb/cancan/issues/302#comment_863142:indexand:showactions
point to the:readaction. But when
CanCan authorizes a parent resource it
uses the:readaction directly which
is why you’re seeing this behavior. @H_502_4@I think this has caused confusion
before,so I will change the internal
behavior to never use the:read
action directly. Instead of a
:parentresource I’ll change it to
use:showand for the
accessible_bydefault I will use
:indexinstead of:read. Thanks
for bringing this to my attention.