cancan is a tiny permission controller base on ruby cancan library. Once defined user ability, can easily check user's permission.
pip install cancan
inherit from cancan.Ability
use add
method to add user Ability
def add(self, action=None, subject=None, **conditions)`
"""
Add ability are allowed using two arguments.
The first one is the action you're setting the permission for,
the second one is the class of object you're setting it on.
the third one is the subject's attributes must be matches or a function
to be test.
self.add('update', Article)
self.add('update', Article, user_id=1)
self.add('update', Article, user_id=1, title='hello')
self.add('update', Article, function=test_title)
"""
import cancan
class User(object):
def __init__(self, id, name, role):
self.id = id
self.name = name
self.role = role
class Article(object):
def __init__(self, title, user_id):
self.title = title
self.user_id = user_id
class Ability(cancan.Ability):
def __init__(self, user):
if user.role == 'admin':
self.add('manage', 'all')
else:
self.add('read', Article)
self.add('create', Article)
self.add('update', Article, user_id=user.id)
self.add('create', 'bbb')
admin = User(1, 'neven', 'admin')
ability = Ability(admin)
# admin
ability.can('read', Article) # True
ability.can('create', Article) # True
ability.can('delete', Article) # True
ability.can('aaa', Article) # True
ability.can('create', 'bbb') # True
ability.can('create', 'ccc') # True
user = User(2, 'joe', 'user')
ability2 = Ability(user)
# user
ability2.can('read', Article) # True
ability2.can('create', Article) # True
ability2.can('delete', Article) # False
ability2.can('aaa', Article) # False
ability2.can('create', 'bbb') # True
ability2.can('create', 'ccc') # False
article = Article('hello', 2)
# admin
ability.can('update', article) # True
# user
ability2.can('update', article) # True
ability2.can('update', Article) # True(class dont check conditions)
import cancan
def test_title_gt_100(article):
return len(article.title) > 100
def anoter_test(article, id, len_title):
return article.user_id < id and len(article.title) > len_article
class Ability(cancan.Ability):
def __init__(self, user):
self.alias_action('create', 'read', 'update', to='cru')
if user.role == 'admin':
self.add('manage', 'all')
self.addnot('destroy', 'gem')
elif user.role == 'editor':
self.add('cru', Article)
self.add(['read', 'create'], 'gem')
self.add('update', Article, function=test_title_gt_100)
self.add('delete', Article, function=another_test, func_args=(10,), func_kwargs={"len_title": 4})
else:
self.add('create', Article)
self.add('update', Article, user_id=user.id)
self.add('create', 'bbb')
editor = User(3, 'kali', 'editor')
ability3 = Ability(editor)
# editor
ability3.can('create', Article) # True
ability3.can('update', Article) # True
ability3.can('cru', Article) # True
ability3.can('read', 'gem') # True
ability3.can('create', 'gem') # True
article = Article('world', 1)
ability3.can('update', article) # False
ability3.can('delete', article) # True
article = Article('world'*100, 1)
ability3.can('delete', article) # True
see example.py
see django_example
一个网站一般都有后台管理功能,后台管理的人员分系统管理员和普通管理员,如果是论坛的话,前台又有好几个角色,版主,总版主,VIP用户,认证用户等等,如果自己去重新去设计的话费时不说可能还不到位,最好有插件,简单配置一下,就可以用了,gem的设计也是出于这个理念,google了一番,CanCan用得比较多,就用这个吧。 1.安装CanCan,编辑Gemfile gem 'cancan', '~> 1.
15 November 2014 简介 权限存取设计是在开发 Application 中相当棘手的问题。 在网站开始建设的初期,通常这样的问题并不会浮现,毕竟一般人的需求大半只会有 user 和 admin 两种角色。但是随著网站演化,更多的业务需求浮现,第三种角色的出现,通常就会把原本干净的 code 弄得肮脏不堪。 多种角色的权限设计难题 当只有 user 和 admin 的情况下,你可以在
Rails插件:CanCan权限验证插件学习总结 CanCan是rails下的一个用于限制用户对网站资源访问控制权限的插件,所有的权限都定义在一个文件中(ability.rb)。 1.安装 在gemfile中加上gem ‘cancan’ 2.注意要点 注意:CanCan需要调用controller中的current_user方法来获取当前登录的用户对象,当然也允许用户修改这个方法名称,如下: (1