每个用户的最佳参数的最佳做法?
[英]Best practice for per-user strong parameters?
问题描述
I have an application with an Order model, connected to a Purchaser and a Supplier . 
我有一个具有Order模型的应用程序,已连接到Purchaser和Supplier 。 The application is designed to limit who can create/update/destroy orders depending on their affiliation with these companies. 该应用程序旨在限制谁可以创建/更新/销毁订单,具体取决于他们与这些公司的隶属关系。 (For instance, a member of a purchaser can create an order, but a member of a supplier cannot.) (例如,购买者的成员可以创建订单,而供应商的成员则不能。)
I am enforcing these authorization rules at the controller level via strong parameters. 我通过强大的参数在控制器级别强制执行这些授权规则。 My reasoning is twofold: 我的推理是双重的:
- deferring them to a
before_savecallback (or other model logic) would remove parameter screening from the controller (where it belongs);将它们推迟到before_save回调(或其他模型逻辑)会从控制器(它所属的位置)中删除参数筛选; and和 - even then, I'd have to pass additional information (namely, user identity) from the controller to the models to get it done, and that would lead to more tightly coupled classes. 即使那样,我也必须将其他信息(即用户身份)从控制器传递到模型才能完成,这将导致类之间的耦合更加紧密。
Currently, my strong param logic looks like this: 目前,我强大的参数逻辑如下所示:
def create_order_params
params.require(:order).permit(:supplier_id, :purchaser_id, :notes)
.merge({ placed_by: current_user })
end
def update_order_params
params.require(:order).permit().tap do |p|
p.merge!({ accepted_by: current_user }) if params.dig(:order, :accepted)
if current_user.belongs_to?(@order.supplier)
p.merge!(params[:order].permit(:discount, :discount_type))
end
if current_user.belongs_to?(@order.purchaser) && !@order.confirmed?
p.merge!(params[:order].permit(:notes))
end
end
end
I think it's terribly unreadable. 我认为这是非常难以理解的。 Is there a cleaner (or widely accepted) pattern for applying some authorization logic to strong parameters? 是否存在用于将一些授权逻辑应用于强参数的更简洁(或广为接受)的模式? Alternately, is this the wrong abstraction? 或者,这是错误的抽象吗? Should I defer this authorization to the model after all? 我是否应该将此授权推迟到模型上?
1 个解决方案
解决方案1
1 2017-08-09 15:10:42
Since each type [Purchasers or Suppliers] has some authorities [or functions to do] and it is the only one who is authorized for such actions, then I suggest you place each type of tasks as a method in either the [Purchasers or Suppliers] classes depending on which one has to do this method or task. 由于每种类型的[采购员或供应商]都有一些权限[或要执行的职能],并且是唯一有权执行此类操作的人,因此,我建议您将每种类型的任务作为一种方法放置在[采购员或供应商]中类取决于哪个必须执行此方法或任务。
For example : 例如 :
Since the Purchasers are only the ones who creates an Order so it would be reasonable to put a create order method in the Purchaser class, so that each object has its responsibilities it needs to carry, and these methods can not be carried or accessed by any other entities since they do not have these methods encapsulated in them. 由于购买者只是创建订单的人,因此在购买者类中放置一个创建订购方法是合理的,这样每个对象都有其需要承担的职责,并且任何人都不能携带或访问这些方法。其他实体,因为它们没有封装这些方法。
Thinking in an object oriented approach, and considering the 'single responsibility principle' , will lead you to having a better organizing and making the code more clean. 以面向对象的方式进行思考,并考虑“单一责任原则”,将使您更好地组织代码并使代码更清晰。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.