问题
The issue
A Spree admin controller without corresponding model, whose access trial redirect to an other page.
The corresponding attempt code:
module Spree
module Admin
class TutorialsController < Spree::Admin::BaseController
authorize_resource :class => false
def index
end
end
end
end
And in app/models/spree/ability_decorator.rb
the following was added:
can :manage, :'tutorial'
can :manage, :'admin/tutorial'
can :manage, :'admin_tutorial'
can :manage, :'spree/admin/tutorial'
can :manage, :'spree_admin_tutorial'
But none of these authorizations will do the trick. Of course adding can :manage, :all
at this place will make the page reachable as desired, so this is definitely solution close to that which is needed but less permissive that is looked for here. Even using skip_authorization_check
in the controller won't do the trick, the request will be redirected to admin/products
with these corresponding initial logs:
Started GET "/admin/tutorials" for 127.0.0.1 at 2020-04-30 17:11:28 +0200
Processing by Spree::Admin::TutorialsController#index as HTML
Spree::Preference Load (2.9ms) SELECT "spree_preferences".* FROM "spree_preferences" WHERE "spree_preferences"."key" = $1 LIMIT $2 [["key", "spree/backend_configuration/locale"], ["LIMI
T", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/bundler/gems/spree_i18n-a03ecad00a1e/lib/spree_i18n/controller_locale_helper.rb:21
Spree::User Load (3.2ms) SELECT "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."id" = $1 ORDER BY "spree_users"."id" ASC LIMIT $2 [["id",
194], ["LIMIT", 1]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Role Load (3.4ms) SELECT "spree_roles".* FROM "spree_roles" INNER JOIN "spree_role_users" ON "spree_roles"."id" = "spree_role_users"."role_id" WHERE "spree_role_users"."user_id" =
$1 [["user_id", 194]]
↳ /home/psychoslave/.rvm/gems/ruby-2.5.1@project/gems/activerecord-5.2.2/lib/active_record/log_subscriber.rb:98
Spree::Producer Load (2.6ms) SELECT "spree_producers".* FROM "spree_producers" WHERE "spree_producers"."id" = $1 LIMIT $2 [["id", 16], ["LIMIT", 1]]
↳ app/models/spree/ability_decorator.rb:123
Redirected to http://localhost:5000/forbidden
Completed 302 Found in 80ms (ActiveRecord: 41.4ms)
And after a few other redirections, the request lead to the previously stated path.
Pertaining related resources
- Adding a Controller without corresponding model while using cancancan proposes a solution which unfortunately didn't work in this case.
- How to authorize namespace, model-less controllers using CanCanCan? suggest the use of
skip_authorization_check
回答1:
There was no need for special ability after all in this case. The Spree::BaseController
sets the correct permissions to grant the aimed access, unlike Spree::Admin::BaseController
. To keep the CSS style consistent, an explicit layout
statement is required.
module Spree
module Admin
class TutorialsController < Spree::BaseController
layout 'spree/layouts/admin'
def index; end
end
end
end
来源:https://stackoverflow.com/questions/61527088/how-do-you-authorize-access-to-a-page-dealed-by-a-controller-without-correspondi