M
M
mlwrm2016-04-08 14:02:29
Ruby on Rails
mlwrm, 2016-04-08 14:02:29

Why can't I access some pages?

I use cancancan for authorization and devise for authentication.

class Ability
  include CanCan::Ability
    def initialize(user)
        can :read, :all

        if user && user.role?(:admin)
            can :access, :rails_admin
            can :dashboard
            can :manage, :all
        elsif user && user.role?(:user)
            can :create, [Post, Comment]
            can :update, Post, user_id: user.id
            can :update, User, id: user.id
            can [:update, :destroy], Comment, user_id: user.id
        elsif user && user.role?(:moderator)
            can [:create, :update, :destroy], [Post, Comment]
        end
    end
end

Here is my controller
class PostsController < ApplicationController
  before_action :authenticate_user!, except: [:index, :show]
  load_and_authorize_resource

  def index
    @posts = Post.all.order('created_at DESC')
  end

  def withtag
    if params[:tag]
      @posts = Post.tagged_with(params[:tag]).order('created_at DESC')
      @tagname = params[:tag]
      @tag = Tag.find_by_name(params[:tag])
    end
  end

  def usernews
    @posts = []
    allPosts = Post.all.order('created_at DESC')
    userTags = current_user.subscribed_tags.map(&:name)
    allPosts.each do |post|
      postTags = post.tag_list.split(',')
      userTags.each do |tag|
        if postTags.include?(tag)
          @posts.push(post)
          break
        end
      end
    end
  end

  def userposts
    @user = User.find(params[:id])
    @posts = Post.where(user_id: @user.id).order('created_at DESC')
  end

  def new
    @post = Post.new
  end

  def create
    @post = current_user.posts.build(post_params)
    @post.user_id = current_user.id

    if @post.save
     redirect_to @post
    else
      render 'new'
    end
  end

  def show
    @post = Post.find(params[:id])
  end

  def edit
    @post = Post.find(params[:id])
  end

  def update
    @post = Post.find(params[:id])

    if @post.update(post_params)
      redirect_to @post
    else
      render 'edit'
    end
  end

  def destroy
    @post = Post.find(params[:id])
    @post.destroy

    redirect_to root_path
  end

  private
    def post_params
      params.require(:post).permit(:title, :body, :image, :tag_list)
    end
end

When I try to view the news feed, posts by tag, or posts by a specific user and a non-admin user is logged in, I get
You are not authorized to access this page

If you register the user and the moderator
can :manage, :all

Then there are no problems with access, I don’t understand why it won’t let you in without it, because can : read, : all is written
How to solve the problem with access?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Andrey Demidenko, 2016-04-08
@malworm

You don't have a policy for these methods in ability.rb
Something like this:

# ability.rb
...
elsif user && user.role?(:user)
...
            can :read, :tags
# posts_controller.rb
def withtag
    authorize! :read, :tags
    if params[:tag]
      @posts = Post.tagged_with(params[:tag]).order('created_at DESC')
      @tagname = params[:tag]
      @tag = Tag.find_by_name(params[:tag])
    end
  end

If this action does not require an authorization check, then you can skip it to the controller, like this:
Or, you can use it on load_and_authorize_resource :except, :only
In general, it’s better to study the docs on github from the gem)
In your case, once and twice

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question