[英]At the controller level, how to prevent an anonymous user from posting?
The following is a standard posts#create
action ( app/controllers/posts_controller.rb
). 以下是标准的posts#create
操作( app/controllers/posts_controller.rb
)。
At the controller level, I want to prevent an anonymous user (a user who is not signed in) from being able to save a post. 在控制器级别,我想阻止匿名用户(未登录的用户)保存帖子。 As a secondary objective, I don't even want to execute the Post.new
line if the user is not signed in. I want to know what is the best practice for accomplishing this. 作为次要目标,如果用户Post.new
,我什至不想执行Post.new
行。我想知道实现此目的的最佳实践是什么。
Also, as a side note, I am unsure of how to write the json
portion of the response. 另外,作为旁注,我不确定如何编写响应的json
部分。 If I am redirecting with an alert message in the HTML
context, what would be a good thing to respond with in JSON
world? 如果我在HTML
上下文中使用警告消息进行重定向,那么在JSON
世界中做出响应是一件好事吗?
def create
@posting = Post.new(posting_params)
respond_to do |format|
if @posting.save
format.html { redirect_to @posting, notice: 'Post was successfully created.' }
format.json { render action: 'show', status: :created, location: @posting }
else
format.html { render action: 'new' }
format.json { render json: @posting.errors, status: :unprocessable_entity }
end
end
end
For the time being I have the following line in my code, above the Post.new
line: 目前,我在代码中的Post.new
行上方有Post.new
行:
redirect_to home_path, warning: 'You must be logged in to post.' and return unless user_signed_in?
I suppose another option is something like the following, placed above the if @posting.save
line. 我想另一个选项如下所示,放在if @posting.save
行上方 。 But really, I am looking to see what other folks would do. 但实际上,我希望看到其他人会做什么。
unless user_signed_in?
format.html { redirect_to home_path, alert: 'You must be logged in to post.' and return }
format.json { render json: .....not sure what to put here..... }
end
Your advice is greatly appreciated. 非常感谢您的建议。
更好的做法是在使用filter并提及行动列表之前使用以下代码:
before_filter :require_login, :only => [:new, :create]
A before_filter
is good for this sort of thing: before_filter
对这种情况有好处:
before_filter :confirm_user_signed_in, only: [:new, :create]
def confirm_user_signed_in
unless user_signed_in?
respond_to do |format|
format.html { redirect_to home_path, alert: 'You must be logged in to post.' and return }
format.json { render json: .....not sure what to put here..... }
end
end
end
As far as what to render in the JSON scenario, you can render nothing at all, but with a 403 (Forbidden) status. 至于在JSON场景中要呈现的内容,您完全无法呈现任何东西,但是状态为403(禁止)。 You can optionally include some data explaining why the 403 occurred, but there's no standard for how that data will be displayed. 您可以选择包括一些解释403发生原因的数据,但是对于如何显示该数据没有标准。 Some frameworks (Backbone, I think) will look for a hash containing an errors
key, which can be set to the reason. 一些框架(Backbone,我认为)将查找包含errors
键的哈希,可以将其设置为原因。
Something like: 就像是:
format.json { render json: { errors: ["Login required."] }, status: 403 }
Try using the cancan gem. 尝试使用cancan宝石。 You can not only prevent the unwanted user from posting, also you can do various other permissions, which do not bloat the controller. 您不仅可以阻止有害用户发帖,还可以执行其他各种权限,而这些操作不会使控制器肿。 These permissions are defined by you in a separate file called ability.rb. 这些权限是由您在一个名为capability.rb的单独文件中定义的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.