How do you authorize access to a page dealed by a controller without corresponding model with Cancancan?

浪尽此生 提交于 2020-06-01 05:39:29

问题


The issue

A Spree admin controller without corresponding model, whose access trial redirect to an other page.

The corresponding attempt code:

module Spree
  module Admin
    class TutorialsController < Spree::Admin::BaseController
      authorize_resource :class => false

      def index
      end
    end
  end
end

And in app/models/spree/ability_decorator.rb the following was added:

  can :manage, :'tutorial'
  can :manage, :'admin/tutorial'
  can :manage, :'admin_tutorial'
  can :manage, :'spree/admin/tutorial'
  can :manage, :'spree_admin_tutorial'

But none of these authorizations will do the trick. Of course adding can :manage, :all at this place will make the page reachable as desired, so this is definitely solution close to that which is needed but less permissive that is looked for here. Even using skip_authorization_check in the controller won't do the trick, the request will be redirected to admin/products with these corresponding initial logs:

Started GET "/admin/tutorials" for 127.0.0.1 at 2020-04-30 17:11:28 +0200                                                                                                                     
Processing by Spree::Admin::TutorialsController#index as HTML                                                                                                                                 
  Spree::Preference Load (2.9ms)  SELECT  "spree_preferences".* FROM "spree_preferences" WHERE "spree_preferences"."key" = $1 LIMIT $2  [["key", "spree/backend_configuration/locale"], ["LIMI
T", 1]]                                                                                                                                                                                       
  ↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/bundler/gems/spree_i18n-a03ecad00a1e/lib/spree_i18n/controller_locale_helper.rb:21                                                    
  Spree::User Load (3.2ms)  SELECT  "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."id" = $1 ORDER BY "spree_users"."id" ASC LIMIT $2  [["id", 
194], ["LIMIT", 1]]                                                                                                                                                                           
  ↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98                                                                        
  Spree::Role Load (3.4ms)  SELECT "spree_roles".* FROM "spree_roles" INNER JOIN "spree_role_users" ON "spree_roles"."id" = "spree_role_users"."role_id" WHERE "spree_role_users"."user_id" = 
$1  [["user_id", 194]]                                                                                                                                                                        
  ↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98                                                                        
  Spree::Producer Load (2.6ms)  SELECT  "spree_producers".* FROM "spree_producers" WHERE "spree_producers"."id" = $1 LIMIT $2  [["id", 16], ["LIMIT", 1]]
  ↳ app/models/spree/ability_decorator.rb:123                                                  
Redirected to http://localhost:5000/forbidden                                                                                                                                                 
Completed 302 Found in 80ms (ActiveRecord: 41.4ms)

And after a few other redirections, the request lead to the previously stated path.

Pertaining related resources

  • Adding a Controller without corresponding model while using cancancan proposes a solution which unfortunately didn't work in this case.
  • How to authorize namespace, model-less controllers using CanCanCan? suggest the use of skip_authorization_check

回答1:


There was no need for special ability after all in this case. The Spree::BaseController sets the correct permissions to grant the aimed access, unlike Spree::Admin::BaseController. To keep the CSS style consistent, an explicit layout statement is required.

module Spree
  module Admin
    class TutorialsController < Spree::BaseController
      layout 'spree/layouts/admin'
      def index; end
    end
  end
end


来源:https://stackoverflow.com/questions/61527088/how-do-you-authorize-access-to-a-page-dealed-by-a-controller-without-correspondi

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!