在控制器级别,如何防止匿名用户发帖?
[英]At the controller level, how to prevent an anonymous user from posting?
问题描述
The following is a standard posts#create action ( app/controllers/posts_controller.rb ). 
以下是标准的posts#create操作( app/controllers/posts_controller.rb )。
At the controller level, I want to prevent an anonymous user (a user who is not signed in) from being able to save a post. 在控制器级别,我想阻止匿名用户(未登录的用户)保存帖子。 As a secondary objective, I don't even want to execute the Post.new line if the user is not signed in. I want to know what is the best practice for accomplishing this. 作为次要目标,如果用户Post.new ,我什至不想执行Post.new行。我想知道实现此目的的最佳实践是什么。
Also, as a side note, I am unsure of how to write the json portion of the response. 另外,作为旁注,我不确定如何编写响应的json部分。 If I am redirecting with an alert message in the HTML context, what would be a good thing to respond with in JSON world? 如果我在HTML上下文中使用警告消息进行重定向,那么在JSON世界中做出响应是一件好事吗?
def create
@posting = Post.new(posting_params)
respond_to do |format|
if @posting.save
format.html { redirect_to @posting, notice: 'Post was successfully created.' }
format.json { render action: 'show', status: :created, location: @posting }
else
format.html { render action: 'new' }
format.json { render json: @posting.errors, status: :unprocessable_entity }
end
end
end
For the time being I have the following line in my code, above the Post.new line: 目前,我在代码中的Post.new行上方有Post.new行:
redirect_to home_path, warning: 'You must be logged in to post.' and return unless user_signed_in?
I suppose another option is something like the following, placed above the if @posting.save line. 我想另一个选项如下所示,放在if @posting.save行上方 。 But really, I am looking to see what other folks would do. 但实际上,我希望看到其他人会做什么。
unless user_signed_in?
format.html { redirect_to home_path, alert: 'You must be logged in to post.' and return }
format.json { render json: .....not sure what to put here..... }
end
Your advice is greatly appreciated. 非常感谢您的建议。
3 个解决方案
解决方案1
1 2013-11-01 05:14:28
更好的做法是在使用filter并提及行动列表之前使用以下代码:
before_filter :require_login, :only => [:new, :create]
解决方案2
1 已采纳 2013-11-01 05:14:57
A before_filter is good for this sort of thing: before_filter对这种情况有好处:
before_filter :confirm_user_signed_in, only: [:new, :create]
def confirm_user_signed_in
unless user_signed_in?
respond_to do |format|
format.html { redirect_to home_path, alert: 'You must be logged in to post.' and return }
format.json { render json: .....not sure what to put here..... }
end
end
end
As far as what to render in the JSON scenario, you can render nothing at all, but with a 403 (Forbidden) status. 至于在JSON场景中要呈现的内容,您完全无法呈现任何东西,但是状态为403(禁止)。 You can optionally include some data explaining why the 403 occurred, but there's no standard for how that data will be displayed. 您可以选择包括一些解释403发生原因的数据,但是对于如何显示该数据没有标准。 Some frameworks (Backbone, I think) will look for a hash containing an errors key, which can be set to the reason. 一些框架(Backbone,我认为)将查找包含errors键的哈希,可以将其设置为原因。
Something like: 就像是:
format.json { render json: { errors: ["Login required."] }, status: 403 }
解决方案3
1 2013-11-01 05:20:31
Try using the cancan gem. 尝试使用cancan宝石。 You can not only prevent the unwanted user from posting, also you can do various other permissions, which do not bloat the controller. 您不仅可以阻止有害用户发帖,还可以执行其他各种权限,而这些操作不会使控制器肿。 These permissions are defined by you in a separate file called ability.rb. 这些权限是由您在一个名为capability.rb的单独文件中定义的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.