Your first guess was right, use cancancanand you'll be good with it.

您的第一个猜测是正确的，使用cancancan并且您会很好地使用它。

EDIT Jul 24, 2015

编辑 2015 年 7 月 24 日

I've been using cancancan for a long time now and it was always working great. I've recently started working on a project where Punditis used for authorization.

我已经使用 cancancan 很长时间了，它总是很好用。我最近开始从事一个使用Pundit进行授权的项目。

It is awesome. It prompts you to define the policy for each resource and it feels more natural than one bloated Ability class.

太棒了。它提示你为每个资源定义策略，感觉比一个臃肿的能力类更自然。

For bigger projects, I would definitely recommend Pundit.

对于更大的项目，我肯定会推荐 Pundit。

To control access to actions I'd recommend Action Access, it boils down to this:

为了控制对操作的访问，我推荐Action Access，它归结为：

class UsersController < ApplicationController
  let :admin, :all
  let :user, [:index, :show]

  # ...
end

This will automatically lock the controller, allowing admins to access every action, users only to show or index users and anyone else will be rejected and redirected with an alert.

这将自动锁定控制器，允许管理员访问每个操作，用户只能显示或索引用户，其他任何人都将被拒绝并通过警报重定向。

If you need more control, you can use not_authorized!inside actions to check and reject access.

如果您需要更多控制，您可以使用not_authorized!内部操作来检查和拒绝访问。

It's completely independentof the authentication system and it can work without Usermodels or predefined roles. All you need is to set the clearance level for the current request:

它完全独立于身份验证系统，无需User模型或预定义角色即可工作。您只需要为当前请求设置许可级别：

class ApplicationController < ActionController::Base
  def current_clearance_level
    session[:role] || :guest
  end
end

You can return whatever you app needs here, like current_user.rolefor example.

您可以在此处返回应用程序需要的任何内容，current_user.role例如。

Although it isn't required, it bundles a set of handy model additions that allow to do things like:

虽然它不是必需的，但它捆绑了一组方便的模型添加，允许执行以下操作：

<% if current_user.can? :edit, :team %>
  <%= link_to 'Edit team', edit_team_path(@team) %>
<% end %>

Here :teamrefers to TeamsController, so the link will only be displayed if the current user is authorized to access the editaction in TeamsController. It also supports namespaces.

这里:team指的是TeamsController，因此只有当前用户被授权访问 中的edit操作时才会显示链接TeamsController。它还支持命名空间。

You can lock controllers by default, customize the redirection path and the alert message, etc.

您可以默认锁定控制器，自定义重定向路径和警报消息等。

It's very straightforward and easy, I hope you find it useful.

它非常简单明了，我希望你觉得它有用。

Something that was suggested to me that we are now using is the petergategem. Easy to use and very clean looking with a great rails feel.

有人向我建议我们现在正在使用的东西是petergategem。易于使用，外观非常干净，具有很好的导轨感觉。

Works well with devise.

与设计配合良好。

Here is some examples from the readme.

以下是自述文件中的一些示例。

If you're using devise you're in luck, otherwise you'll have to add following methods to your project:

如果您使用的是 devise，那么您很幸运，否则您必须将以下方法添加到您的项目中：

user_signed_in?
current_user
after_sign_in_path_for(current_user)
authenticate_user! 

This comes in your User.rb. Adding more roles is as easy as adding them to the array.

这在您的 User.rb 中。添加更多角色就像将它们添加到数组一样简单。

petergate(roles: [:admin, :editor], multiple: false)

Instance Methods

实例方法

user.role => :editor
user.roles => [:editor, :user]
user.roles=(v) #sets roles
user.available_roles => [:admin, :editor]
user.has_roles?(:admin, :editors) # returns true if user is any of roles passed in as params.

Controller access syntax.

控制器访问语法。

access all: [:show, :index], user: {except: [:destroy]}, company_admin: :all