blocks|key|3181894|text|到目前为止这是不可能的。但根据这一点：https://github.com/ryanb/cancan/issues/326这个特性应该在CanCan2.0中。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3181895|更新:你可以在CanCan+2.0分支上看到这个：https://github.com/ryanb/cancan/tree/2.0在“资源属性”一节中|3181896|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/ryanb/cancan/issues/326|1|https://github.com/ryanb/cancan/tree/2.0^0|J|16|0|0|P|14|1|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@$A|Q|B|R|1|S]]|C|$]]|$1|D|3|E|5|6|7|T|8|@]|9|@$A|U|B|V|1|W]]|C|$]]|$1|F|3|-4|5|6|7|X|8|@]|9|@]|C|$]]]|G|$H|$5|I|J|K|C|$L|M]]|N|$5|I|J|K|C|$L|O]]]]

So far it is not possible. But according to this: <a href="https://github.com/ryanb/cancan/issues/326" rel="noreferrer">https://github.com/ryanb/cancan/issues/326</a> this feature should be in cancan 2.0.

Update: you can see this on CanCan 2.0 branch here: <a href="https://github.com/ryanb/cancan/tree/2.0" rel="noreferrer">https://github.com/ryanb/cancan/tree/2.0</a> in section "Resource Attributes"

blocks|key|2968117|text|有一种方法，我在我的项目中做了这样的事情。但是CanCan并不是全部的答案。您需要做的是使模型中的attr_accessible基于用户角色动态，因此，如果您是管理员，则允许您更新已发布字段。如果不是，那么当模型保存时，给字段一个新的值是不会被接受的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2968118|铁路广播公司再次伸出援手：http://railscasts.com/episodes/237-dynamic-attr-accessible|offset|length|2968119|在获取实现的后端部分之后，您可以对前端表单执行一些操作，方法是在View中包装publish字段，并使用角色检查或其他功能来根据用户显示或隐藏字段。我的实现的粗略示例...|2968120|<%25+if+current_user.roles.where(:name+=>+['Administrator','Editor']).present?+%25>
++++<%25=+f.label+:display_name+%25>
++++<%25=+f.text_field+:display_name+%25>
<%25+end+%25>|code-block|syntax|javascript|2968121|entityMap|0|LINK|mutability|MUTABLE|url|http://railscasts.com/episodes/237-dynamic-attr-accessible^0|0|D|1M|0|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|V|8|@]|9|@$D|W|E|X|1|Y]]|A|$]]|$1|F|3|G|5|6|7|Z|8|@]|9|@]|A|$]]|$1|H|3|I|5|J|7|10|8|@]|9|@]|A|$K|L]]|$1|M|3|-4|5|6|7|11|8|@]|9|@]|A|$]]]|N|$O|$5|P|Q|R|A|$S|T]]]]

There is a way, I did something like this in my project. But CanCan is not entirely the answer. What you need to do is make attr_accessible in your model dynamic based on user role, so if you're an admin, then you're allowed to update the published field. If not, then giving the field a new value simply won't take when the model saves.

Railscasts comes to the rescue once again: <a href="http://railscasts.com/episodes/237-dynamic-attr-accessible" rel="nofollow">http://railscasts.com/episodes/237-dynamic-attr-accessible</a>

Following getting the backend part of that implemented, then you can do something about the frontend form by wrapping the publish field in the View with a roles check or something to show or hide the field based on the user. Rough example of my implementation...

<pre><code>&lt;% if current_user.roles.where(:name =&gt; ['Administrator','Editor']).present? %&gt;
 &lt;%= f.label :display_name %&gt;
 &lt;%= f.text_field :display_name %&gt;
&lt;% end %&gt;
</code></pre>

blocks|key|273024|text|查看这篇文章：How+do+I+use+CanCan+with+rails+admin+to+check+for+ownership|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|273025|它展示了如何根据用户角色使字段不可见。|273026|更新我能够使用以下代码在rails管理中设置选项：|273027|config.model+User+do
++edit+do
++++configure+:organization+do
++++++visible+do
++++++++bindings[:view]._current_user.max_role_name+!=+'admin'+?+false+:+true
++++++end
++++end

++++configure+:organization_id,+:hidden+do
++++++visible+do
++++++++true+if+bindings[:view]._current_user.max_role_name+!=+'admin'
++++++end
++++++default_value+do
++++++++bindings[:view]._current_user.organization_id+if+bindings[:view]._current_user.max_role_name+!=+'admin'
++++++end
++++end

++++include_all_fields
++end
end|code-block|syntax|javascript|273028|如果登录的用户不是管理员，此配置将隐藏组织字段。然后，它将显示一个类型字段(设置为organization_id+=‘hidden’)并设置默认值。|273029|希望这对某些人有帮助。|273030|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/questions/8591654/how-do-i-use-cancan-with-rails-admin-to-check-for-ownership^0|7|1N|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@]|9|@$A|Z|B|10|1|11]]|C|$]]|$1|D|3|E|5|6|7|12|8|@]|9|@]|C|$]]|$1|F|3|G|5|6|7|13|8|@]|9|@]|C|$]]|$1|H|3|I|5|J|7|14|8|@]|9|@]|C|$K|L]]|$1|M|3|N|5|6|7|15|8|@]|9|@]|C|$]]|$1|O|3|P|5|6|7|16|8|@]|9|@]|C|$]]|$1|Q|3|-4|5|6|7|17|8|@]|9|@]|C|$]]]|R|$S|$5|T|U|V|C|$W|X]]]]

Check out this post: <a href="https://stackoverflow.com/questions/8591654/how-do-i-use-cancan-with-rails-admin-to-check-for-ownership">How do I use CanCan with rails admin to check for ownership</a>

It shows how to make a field not visible based off a users role.

UPDATE
I was able to set options in rails admin with this code:

<pre><code>config.model User do
 edit do
 configure :organization do
 visible do
 bindings[:view]._current_user.max_role_name != 'admin' ? false : true
 end
 end

 configure :organization_id, :hidden do
 visible do
 true if bindings[:view]._current_user.max_role_name != 'admin'
 end
 default_value do
 bindings[:view]._current_user.organization_id if bindings[:view]._current_user.max_role_name != 'admin'
 end
 end

 include_all_fields
 end
end
</code></pre>

This configuration will hide the organization field if the logged in user is not an admin. It will then show an organization_id field ( set to type='hidden' ) and set the default value.

Hope this helps someone.

blocks|key|269458|text|在CanCan+2.0出现之前，我已经通过创建一个具有受限可访问性的模型子类解决了这个问题，类似于：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|269459|class+AuthorPost+<+Post
++attr_protected+:published
end|code-block|syntax|javascript|269460|然后给作者访问AuthorPosts的权限：can+:manage+=>+AuthorPost|offset|length|style|CODE|269461|然后，在您的控制器中，您可以在before_filter中设置所需的资源：|269462|before_filter+:set_resource
...
++private
++++def+set_resource
++++++if+current_user+and+current_user.author?
++++++++@resource+=+AuthorPost
++++++else
++++++++@resource+=+Post
++++++end
++++++params[:post]+%7C%7C=+params[:author_post]
++++end|269463|最后一个警告:您将不能在该控制器中使用load_and_authorize_resource。您必须手动完成此操作，详细信息如下：https://github.com/ryanb/cancan/wiki/Controller-Authorization-Example|269464|您需要用@resource替换Project。|269465|对于这种方法比铁路广播中描述的方法更有效还是更不有效，我持观望态度。出于我的目的，它完全保留了原始模型，所以我的其他代码不会受到影响--只是允许我给一些用户提供更少的可编辑字段。|269466|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/ryanb/cancan/wiki/Controller-Authorization-Example^0|0|0|M|P|0|0|0|J|R|1T|1X|0|0|4|9|F|7|0|0^^$0|@$1|2|3|4|5|6|7|14|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|15|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|16|8|@$I|17|J|18|K|L]]|9|@]|A|$]]|$1|M|3|N|5|6|7|19|8|@]|9|@]|A|$]]|$1|O|3|P|5|D|7|1A|8|@]|9|@]|A|$E|F]]|$1|Q|3|R|5|6|7|1B|8|@$I|1C|J|1D|K|L]]|9|@$I|1E|J|1F|1|1G]]|A|$]]|$1|S|3|T|5|6|7|1H|8|@$I|1I|J|1J|K|L]|$I|1K|J|1L|K|L]]|9|@]|A|$]]|$1|U|3|V|5|6|7|1M|8|@]|9|@]|A|$]]|$1|W|3|-4|5|6|7|1N|8|@]|9|@]|A|$]]]|X|$Y|$5|Z|10|11|A|$12|13]]]]

Until CanCan 2.0 comes out, I've solved this by creating a subclass of the model with restricted accessibility, something like:

<pre><code>class AuthorPost &lt; Post
 attr_protected :published
end
</code></pre>

And then give authors access to AuthorPosts: <code>can :manage =&gt; AuthorPost</code>

Then in your controller, you can set the resource you want in a before_filter:

<pre><code>before_filter :set_resource
...
 private
 def set_resource
 if current_user and current_user.author?
 @resource = AuthorPost
 else
 @resource = Post
 end
 params[:post] ||= params[:author_post]
 end
</code></pre>

One last caveat: you won't be able to use <code>load_and_authorize_resource</code> in that controller. You'll have to do that manually, as detailed here: <a href="https://github.com/ryanb/cancan/wiki/Controller-Authorization-Example" rel="nofollow">https://github.com/ryanb/cancan/wiki/Controller-Authorization-Example</a>

You'll need to replace <code>Project</code> with <code>@resource</code>.

I'm on the fence as to whether this is more or less effective than the method described in the railscast. For my purposes, it left the original model totally intact, so my other code wasn't affected--and just allowed me to give some users fewer editable fields.

I have a Post model with a <code>:published</code> attribute (boolean) and a User model with a <code>role</code> attribute (string). There are three roles: <code>ROLES = %w[admin publisher author]</code>

I don't want users whose role is author to be capable of setting, or editing, the <code>:published</code> field on the Post model.

I'm using CanCan (and RailsAdmin gem) and my simplified Ability.rb file looks like this:

<pre><code>class Ability
 include CanCan::Ability
 def initialize(user)
 user ||= User.new

 if user.role? :admin
 can :manage, :all
 elsif user.role? :publisher
 can :manage, Post
 elsif user.role? :author
 # I want to prevent these guys from setting the :published attribute
 end

 end
end
</code></pre>

Anyone got any tips for doing this sort of thing?

CanCan: limiting a user's ability to set certain model attributes based on their role

我有一个具有:published属性(boolean)的Post模型和一个具有role属性(string)的用户模型。有三个角色：ROLES = %w[admin publisher author]我不希望角色是author的用户能够在帖子模型上设置或编辑:published字段。我使用的是CanCan (和Rails...

问CanCan:限制用户根据角色设置特定模型属性的能力
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问CanCan:限制用户根据角色设置特定模型属性的能力EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问CanCan:限制用户根据角色设置特定模型属性的能力
EN