在Rails应用程序中适当使用Authority
[英]Appropriate use of Authority in rails app
问题描述
I'm following the Michael Hartl RoR tutorial, but implementing Rollify and Authority along the way. 
我正在遵循Michael Hartl RoR教程,但是在此过程中实现了Rollify和Authority。 I've never used Authority before and I am wondering if the following before_action is appropriate for Authority use 我以前从未使用过Authority,所以我想知道以下before_action是否适合使用Authority
# app/controllers/users_controller.rb
class UsersController < ApplicationController
before_action :logged_in_user, only: [:edit, :update]
.
.
.
private
def user_params
params.require(:user).permit(:name, :email, :password,
:password_confirmation)
end
# Before filters
# Confirms a logged-in user.
def logged_in_user
unless logged_in?
flash[:danger] = "Please log in."
redirect_to login_url
end
end
end
would it be "good programming practice" to put the def logged_in_user inside of the ApplicationAuthorizer class for future use? 将def logged_in_user放在ApplicationAuthorizer类中以供将来使用是“良好的编程习惯”吗?
1 个解决方案
解决方案1
1 已采纳 2016-02-13 12:19:42
Would it be "good programming practice" to put
logged_in_userinsideApplicationAuthorizerlogged_in_user放入ApplicationAuthorizer是“良好的编程习惯”
No. 没有。
There is a difference between Authentication and Authorization : Authentication和Authorization之间有区别 :
- Authentication -- user logged in? 身份验证-用户已登录?
- Authorization -- can user do this? 授权-用户可以这样做吗?
The difference is subtle but important - you'd expect authentication to happen before authorization, or at least independently. 差异是微小的,但很重要-您希望认证在授权之前进行 ,或者至少独立进行。
A good analogy is authentication is when you get access to a secret party (password); 一个很好的类比是, 身份验证是指您可以访问秘密方(密码)。 authorization is which table you're able to sit at. 授权是您可以坐在哪个桌子上。
If you used one of the pre-rolled authentication systems ( Devise or Sorcery ), you'd have your authentication handled, providing you with such helpers as user_signed_in? 如果您使用了一种预卷式身份验证系统( Devise或Sorcery ), user_signed_in?处理身份验证,并为您提供诸如user_signed_in?这样的帮助user_signed_in? etc. 等等
To answer your question, your current pattern will suffice, considering you've rolled your own authentication. 为了回答您的问题,考虑到您已经进行了自己的身份验证,您当前的模式就足够了。
If you were using Devise , you'd want to use the following: 如果您使用的是Devise ,则需要使用以下内容:
#config/routes.rb
authenticate :user do
resource :profile, controller: :users, only: [:show, :update] #-> url.com/profile
end
#app/controllers/users_controller.rb
class UsersController < ApplicationController
def show
@user = current_user
end
def update
@user = current_user.update update_params
end
end
-- -
What you're trying to do is evaluate the @user.id against current_user.id : 您要尝试的是针对current_user.id评估@user.id :
#app/models/user.rb
class User < ActiveRecord::Base
include Authority::UserAbilities
before_action :logged_in_user, only: [:edit, :update]
def edit
@user = User.find params[:id]
redirect_to root_path, notice: "Can't edit this user" unless current_user.can_edit?(@user)
end
def update
@user = User.find params[:id]
if current_user.can_update?(@user)
@user.update ...
else
# redirect
end
end
private
def logged_in_user
redirect_to login_url, error: "Please log in." unless logged_in?
end
end
# app/authorizers/user_authorizer.rb
class UserAuthorizer < ApplicationAuthorizer
def self.editable_by?(user)
user.id = self.id
end
def self.updatable_by?(user)
user.id = self.id
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.