我需要使用CanCanCan来限制所有用户只能查看自己的数据,或允许从其他人看到有限数据的能力。
我尝试了以下但不起作用:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
affiliate ||= Affiliate.new # guest user (not logged in)
# guest ||= U
#Admin
if user.admin?
can :manage, :all
elsif user.seller?
can :manage, Listing, user_id: user.id
can :read, Listing
can :manage, Order, buyer_id: user.id
can :manage, Order, seller_id: user.id
can :manage, StripeAccount, user_id: user.id
can :manage, BankAccount, user_id: user.id
can :manage, User, user_id: user.id
elsif affiliate
can :manage, User, affiliate_id: affiliate.id
can :read, Order
can :manage, StripeAccount, affiliate_id: affiliate.id
can :manage, Affiliate, affiliate_id: affiliate.id
#Buyer
elsif user.buyer?
can :read, Listing
can [:create, :read, :edit, :purchases, :update], Order, buyer_id: user.id
#Guest
else
can :read, Listing
can [:create, :order_confirmation], Order
# can :create, User
end
end
end
当我以联盟会员身份登录时,它不会让我查看与affiliate.id相关联的StripeAccount,它就在模型中。
我有两个模型,User和Affiliate。
用户具有enum,1,2,3的角色。 (admin是3)会员有enum,1,2的角色
我需要为每个设计模型和每个设计模型中的每个角色设置限制。
这似乎解决了它,仍在测试:
private
def current_ability
@current_ability ||= Ability.new(current_user, current_affiliate)
end
然后:
def initialize(user, affiliate)