http://strika.info
Nebojša Stričević odgovoriće na pitanja: Kako se definiše Pundit policy? A kako CanCanCan ability? Šta su prednosti jednog, a šta drugog? Šta treba “trpati” u sloj za autorizaciju, a šta ne?
class PostPolicy
def initialize(user, post)
@user = user
@post = post
end
def update?
@post.author?(@user)
end
end
<% if policy(@post).update? %>
<%= link_to "Edit post", ... %>
<% end %>
def update
@post = Post.find(params[:id])
authorize @post, :update?
...
end
class Ability
include CanCan::Ability
def initialize(user)
can :update, Post do |post|
post.author?(user)
end
end
end
<% if can? :update, @post %>
<%= link_to "Edit", ... %>
<% end %>
def update
@post = Post.find(params[:id])
authorize! :update, @post
...
end
class PostPolicy
...
def update?
@post.author?(@user) || @user.admin?
end
end
class Ability
include CanCan::Ability
def initialize(user)
can :update, Post do |post|
post.author?(user)
end
if user.admin?
can :manage, :all
end
end
end
<% if @post.author?(current_user) && !@post.published? %> <%= link_to "Edit Post", ... %> <% end %>
def update
@post = Post.find(params[:id])
if !@post.author? || !@post.published?
raise "Can't do that!"
end
...
end
class PostPolicy
...
def update?
!@post.published? && (@post.author?(@user) || @user.admin?)
end
end
class Ability
include CanCan::Ability
def initialize(user)
can :update, Post do |post|
!post.published? && post.author?(user)
end
if user.admin?
can :manage, :all
end
end
end
ability = Ability.new(root)
ability.can?(:update, post)
Korisnik koji sme sve.
!@post.published? && (@post.author?(@user) || @user.admin?)