In trying to debug use of cancan i found that if use the following i can get past the accessdenied message:
can :manage, Model
When i changed it to the following I am denied access:
can :read, Model
can :create, Model
can :update, Model
can :destroy, Model
What does manage include that the combination of read, create, update and destroy do not?
开发者_开发知识库Thanks.
By default CanCan maps :read
, :create
etc. to the relevant controller actions e.g.:
def default_alias_actions
{
:read => [:index, :show],
:create => [:new],
:update => [:edit],
}
end
But, of course you're not restricted to having just those actions in your controller, ultimately a controller action can have any name. By the same token you're not restricted to having just :read, :create, :update, :detroy
in CanCan. You can alias any symbol to any controller action. Let us say you have an action on your controller called do_cool_things
, you can then alias any symbol to that action to be used by CanCan e.g.:
alias_action :do_cool_things, :to => :coolify
You would then be able to do this:
can :coolify, Neighborhood
Which means the current user would have access to the :do_cool_things
method of the NeighborhoodsController
. However if you had used :manage
you wouldn't need to define this separate action since :manage
is a catch-all. So if you had done:
can :manage, Neighborhood
The current user would still have had access to the :do_cool_things
method of the controller.
So, :manage
lets you do anything, but :read, :create, :update and :destroy
are only 4 of an infinite number of CanCan actions that you can define and map to any controller action you choose.
You can define custom actions (When you define a user's abilities for a given model, you are not restricted to the 7 RESTful actions (create, update, destroy, etc.), you can create your own.) If you have manage all, you wold be able to access those custom actions too.
精彩评论