CanCan difference between :read and [:index, :show]?
According to all documentation, the :read action is aliased to both :index and :开发者_Python百科show:
alias_action :index, show, :to => :read
However, consider the following scenario with nested resources:
resources :posts
resources :comments
end
If I define abilities like this:
# ability.rb
can :read, Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
things work as expected. However, if I change the :read action to [:index, :show]:
# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load_and_authorize_resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
I am unauthorized to access /posts/:post_id/comments, /posts/:post_id/comments/:id, etc. I still, however, can access both :index and :show for the posts_controller.
How is possible that these actions are "aliased", if they behave differently?
In my fiddling, I also came across the following. Changing load_and_authorize_resource to the following allowed access:
# ability.rb
can [:index, :show], Post
can :show, Comment
# comments_controller.rb
load__resource :organization, :find_by => :permalink
load_and_authorize_resource :membership, :through => :organization
Can someone explain what's going on here?
I posted this as an issue on GitHub. Ryan responded with the following:
Both the
:indexand:showactions point to the:readaction. But when CanCan authorizes a parent resource it uses the:readaction directly which is why you're seeing this behavior.I think this has caused confusion before, so I will change the internal behavior to never use the
:readaction directly. Instead of a:parentresource I'll change it to use:showand for theaccessible_bydefault I will use:indexinstead of:read. Thanks for bringing this to my attention.
https://github.com/ryanb/cancan/issues/302#comment_863142
加载中,请稍侯......
精彩评论