User cancan to management permission

Gemfile

@@ -39,6 +39,9 @@ gem 'omniauth-github'
 gem 'omniauth-xiaonei'
 gem 'omniauth-douban-oauth2'
 
+# permission control
+gem "cancan"
+
 # To use ActiveModel has_secure_password
 gem 'bcrypt-ruby', '~> 3.0.0'
 

Gemfile.lock

@@ -31,6 +31,7 @@ GEM
     arel (3.0.2)
     bcrypt-ruby (3.0.1)
     builder (3.0.3)
+    cancan (1.6.7)
     capistrano (2.13.4)
       highline
       net-scp (>= 1.0.0)
@@ -185,6 +186,7 @@ PLATFORMS
 
 DEPENDENCIES
   bcrypt-ruby (~> 3.0.0)
+  cancan
   capistrano
   client_side_validations
   coffee-rails

app/assets/javascripts/application.js

@@ -8,7 +8,4 @@
 //= require jquery_ujs
 //= require twitter/bootstrap
 //= require rails.validations
-//= require twitter/bootstrap/bootstrap-modal.js
-//= require twitter/bootstrap/bootstrap-transition.js
-//= require twitter/bootstrap/bootstrap-dropdown.js
 //= require global.js

app/controllers/application_controller.rb

@@ -1,24 +1,24 @@
 # -*- encoding : utf-8 -*-
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  #before_filter :authorize
+  authorize_resource
 	before_filter :get_tags
 
-  helper_method :current_user
+  helper_method :current_user, :logined?
 
   def current_user
     @current_user || User.find_by_id(session[:user_id])
   end
 
-  protected
-  def authorize
-    @current_user = User.find_by_id(session[:user_id])
-
-    unless @current_user
-      redirect_to login_url
-    end
+  def logined?
+    !!current_user
+  end
+
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to root_url, flash: { error: exception.message }
   end
 
+  protected
   def get_tags
     @tags = Tag.all
   end

app/controllers/sessions_controller.rb

@@ -1,4 +1,5 @@
 class SessionsController < ApplicationController
+  skip_authorize_resource
   def create
     omniauth = request.env['omniauth.auth']
     auth = Authorization.where(provider: omniauth['provider'], uid: omniauth['uid']).first_or_create do |auth|

app/controllers/users_controller.rb

@@ -97,7 +97,7 @@ def login
 
   def logout
     reset_session
-    redirect_to articles_url, :notice => "Logged our"
+    redirect_to articles_url
   end
 
   def about

app/models/ability.rb

@@ -0,0 +1,12 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    user ||= User.new # guest user (not logged in)
+    if user.admin?
+      can :manage, :all
+    else
+      can :read, :all
+    end
+  end
+end

app/models/user.rb

@@ -5,5 +5,9 @@ class User < ActiveRecord::Base
   attr_accessible :name, :email, :image_url
   has_many :authorizations
 
-  validates :name, :presence => true
+  validates :name, :email, :presence => true
+
+  def admin?
+    email == APP_CONFIG['admin_email']
+  end
  end

app/views/articles/_article.html.haml

@@ -11,7 +11,7 @@
         - article.tags.each do |tag|
           = link_to  tagged_articles_url(tag) do
             %span.label #{tag.name}
-    -if session[:user_id]
+    -if logined? && current_user.admin?
       %span.operation
         = link_to t('edit'), edit_article_path(article)
         = link_to t('destroy'), article, :confirm => 'Are you sure?', :method => :delete

app/views/articles/index.html.haml

@@ -1,4 +1,10 @@
--if session[:user_id]
+-%w(success error info).each do |type|
+  -if flash[type.to_sym]
+    %div{class: "alert alert-#{ type }"}
+      %a{class: "close", "data-dismiss" => "alert", href: "#"}×
+      = raw flash[type.to_sym]
+
+-if logined? && current_user.admin?
   .top_operation= link_to t('new_article'), new_article_path
 
 = render @articles

app/views/articles/show.html.haml

@@ -10,7 +10,7 @@
         - @article.tags.each do |tag|
           = link_to tagged_articles_url(tag) do
             %span.label #{tag.name}
-    -if session[:user_id]
+    -if logined? && current_user.admin?
       %span.operation
         = link_to t('edit'), edit_article_path(@article)
         = link_to t('back'), articles_path

app/views/layouts/_aside.html.haml

@@ -1,28 +1,11 @@
 %aside#global-aside
-  #login-form.modal.fade
-    = form_tag login_url do
-      .modal-header
-        %a.close{'data-dismiss' => 'modal'} x
-        %h3 管理员登录
-      .modal-body
-        .field
-          %label{:for => 'name'} 昵称：
-          = text_field_tag :name, params[:name]
-        .field
-          %label{:for => 'password'} 密码：
-          = password_field_tag :password, params[:password]
-        .clearfix
-      .modal-footer
-        %button.btn{:type => 'submit'} 登录
   %header
     = link_to 'Reyes Yang', '/', :id => 'logo'
     %h3#me
       = link_to '吾', '/about'
       #passage
-        - if session[:user_id]
+        - if logined?
           = link_to '注销', logout_path, :confirm => 'Are you sure?', :method => :delete
-        - else
-          %a{:href => '#login-form', 'data-toggle' => 'modal'} 登录
 
 
   %section#aside_tags

config/locales/zh_CN.yml

@@ -71,3 +71,12 @@ zh_CN:
     previous_label: "← 上一页"
     next_label: "下一页 →"
     page_gap: "…"
+
+  unauthorized:
+    manage:
+      all: 您无权访问 %{action} %{subject}
+      user: 您无权操作用户信息
+    update:
+      article: 您无权更新文章
+    create:
+      article: 您无权发表文章

config/routes.rb

@@ -62,7 +62,6 @@
   delete 'logout' => 'users#logout'
   get "about" => "users#about"
 
-  resources :users
   resources :articles do
     collection do
       get 'tagged/:tag_id', :action => 'tagged', :as => 'tagged'