如何使用URL中的令牌限制对控制器的一个操作的访问 - Rails 3?
[英]How do I restrict access to one action of a controller using a token in the URL - Rails 3?
问题描述
I setup my controller to allow exceptions in the filter for a specific token in the URL. 
我设置我的控制器以允许过滤器中的例外URL中的特定标记。
For all intents and purposes of this demo the token is the character 'a'. 对于此演示的所有意图和目的,令牌是字符'a'。
But now, when I go to the URL for that action, eg stage/7/compare and am not logged in, I can see it....how do I set i up so that if the token param isn't in the URL, it sends the user to login, but if it is allows them to see it without logging in (eg stages/7/compare?token=a ) ? 但是现在,当我转到该动作的URL时,例如stage / 7 / compare并且我没有登录,我可以看到它....我如何设置我以便如果令牌参数不在URL,它将用户发送到登录,但是如果它允许他们在没有登录的情况下看到它(例如stages/7/compare?token=a )?
This is what my Stages Controller looks like: 这就是我的阶段控制器的样子:
class StagesController < ApplicationController
before_filter :check_token, :only => [:show]
before_filter :authenticate_user!, :except => [:compare]
filter_access_to :all
def show
@stage = Stage.find(params[:id])
render :layout => 'comparison'
title = @stage.name
#@upload = Upload.find(params[:id])
# respond_to do |format|
# format.html # show.html.erb
# format.xml { render :xml => @stage }
# end
end
def compare
@stage = Stage.find(params[:id])
title = @stage.name
end
private
def check_token
stage = Stage.find(params[:id])
redirect_to(params[:token] == "a" ? compare_stage_path(stage) : root_path)
end
end
Edit1: If I change the :check_token to :only [:compare] this is what my log does: Edit1:如果我将:check_token to :only [:compare]更改:check_token to :only [:compare]这就是我的日志所做的:
Started GET "/stages/7/compare" for 127.0.0.1 at 2011-03-30 18:45:05 -0500
Processing by StagesController#compare as HTML
Parameters: {"id"=>"7"}
User Load (1.9ms) SELECT "users".* FROM "users" WHERE ("users"."id" = 1) LIMIT 1
#<User id: 1, email: "test@abc.com", encrypted_password: "$2a$10$qUbNGm6lZ366jRiE0vK0gOpxbGXD5JmfqWmH1lfLlCEC...", password_salt: "$2a$10$qUbNGm6lZ366jRiE0vK0gO", reset_password_token: nil, remember_token: nil, remember_created_at: nil, sign_in_count: 251, current_sign_in_at: "2011-03-30 23:28:18", last_sign_in_at: "2011-03-30 21:57:13", current_sign_in_ip: "127.0.0.1", last_sign_in_ip: "127.0.0.1", username: "test", f_name: "Test", l_name: "User", created_at: "2011-01-22 07:17:45", updated_at: "2011-03-30 23:28:18", invitation_token: nil, invitation_sent_at: nil, plan_id: 3, current_state: nil, confirmation_token: nil, confirmed_at: "2011-02-11 23:19:15", confirmation_sent_at: "2011-02-11 23:18:20">
Stage Load (0.3ms) SELECT "stages".* FROM "stages" WHERE ("stages"."id" = 7) LIMIT 1
Redirected to http://localhost:3000/
Completed 302 Found in 190ms
ie it redirects to my root_path. 即它重定向到我的root_path。
2 个解决方案
解决方案1
2 2011-03-30 22:52:10
您的问题询问您的compare操作,但您的before_filter设置为仅对show动作进行操作。
before_filter :check_token, :only => [:compare]
解决方案2
0 已采纳 2011-03-31 07:24:46
This code fixes the issue: 此代码修复了此问题:
class StagesController < ApplicationController
before_filter :check_token_or_user, :only => :compare
before_filter :authenticate_user!, :only => :show
def show
@stage = Stage.find(params[:id])
render :layout => 'comparison'
end
def compare
@stage = Stage.find(params[:id])
end
private
def check_token_or_user
if !user_signed_in && params[:token].blank?
redirect_or_someting
elsif !user.signed_in && params[:token].present? && params[:token] == "a"
# do nothing, they can view the page
elsif user_signed_in?
# do nothing, they can view the page
end
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.