[英]How can I block url adress in Devise (Ruby on Rails)
I blocked display links on the show page: 我屏蔽了显示页面上的显示链接:
<% if @post.user == current_user %>
links
<%end%>
but I can't block url adress for unprivileged users: 但我不能阻止非特权用户的网址:
http://localhost:3000/posts/1/edit
What can I do? 我能做什么?
It's good possibility to use Pundit gem ( https://github.com/elabs/pundit ). 使用Pundit gem( https://github.com/elabs/pundit )的可能性很大。 Your policy will look:
您的政策如下:
class PostPolicy
attr_reader :user, :post
def initialize(user, post)
@user = user
@post = post
end
def edit?
post.user == user
end
end
And your controller's action: 而您的控制器的动作:
def edit
@post = Post.find_by(id: params[:id])
authorize @post
...
end
Within the edit action on your controller, perform the same check - something like: 在控制器上的edit动作中,执行相同的检查-类似于:
@post = Post.find_by( id: params[:id] )
unless @post.user == current_user
fail(ActionController::RoutingError, 'User cannot edit this post.')
end
You can simplify the error check into: 您可以将错误检查简化为:
fail(ActionController::RoutingError, 'User cannot edit this post.') unless @post.user == current_user
I hope this helps! 我希望这有帮助!
I guess the best way to do this is to use before_filter
in your posts controller, ie: 我想最好的方法是在posts控制器中使用
before_filter
,即:
before_action :authorize_admin, only: [:show, :edit, :update, :destroy]
or: 要么:
before_filter :authorize_admin, except: [:show]
where :authorize_admin
is the method that You have to define either in posts controller (to use for posts only) or in application controller (to use in all controllers), like this: 其中
:authorize_admin
是您必须在posts控制器(仅用于帖子)或应用程序控制器(在所有控制器中使用)中定义的方法,如下所示:
def authorize_admin
redirect_to :new_user_session unless current_user&¤t_user.admin?
end
What you're looking for is something called authorization 您正在寻找的是所谓的授权
Authentication = finding out if a user is present
身份验证 =查找用户是否存在
Authorization = determining if they are able to perform specific requests
授权 =确定他们是否能够执行特定请求
The answer by Sergei Stralenia
is correct - you'll need to use one of the authorization gems -- Pundit and CanCanCan being two of the most popular -- to validate whether a user is able to edit a particular object. 通过回答
Sergei Stralenia
是正确的-你需要使用授权的宝石之一- 权威人士和CanCanCan是两个最流行的-以验证用户是否能够编辑特定对象。
In regard the routing, you'll not be able to remove the edit
route, unless you separate it out into something like an admin
namespace (I'll explain more in a second). 关于路由,除非将其分离成类似
admin
名称空间的内容,否则将无法删除该edit
路由(稍后再解释)。
-- -
Sergei Stralenia
's post showed you how to use Pundit
, I'll show you CanCanCan
: Sergei Stralenia
的帖子向您展示了如何使用Pundit
,我将向您展示CanCanCan
:
#app/models/ability.rb
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, Post
else
can :read, Post
end
end
end
#app/controllers/posts_controller.rb
class PostsController < ApplicationController
def edit
@article = Post.find params[:id]
authorize! :edit, @article
end
end
Admin 管理员
If you wanted to make a post only editable in an "admin" area, you'd be best using something like the following: 如果您想使帖子只能在“管理员”区域中进行编辑,则最好使用以下内容:
#config/routes.rb
resources :posts, only: [:index, :show]
namespace :admin do
resources :posts, only: [:new, :create, :edit, :update, :destroy]
end
This way, you will literally have no way for a non-admin user to edit/update posts in the front-end. 这样,非管理员用户实际上将无法编辑/更新前端中的帖子。 Instead, they'll have to go into the
admin
area and make it so that they are able to edit it in there... 相反,他们将必须进入
admin
区域并进行设置,以便能够在其中进行编辑...
#app/controllers/admin/posts_controller.rb
class Admin::PostsController < ApplicationController
#actions & authorization in here
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.