[英]Rails Gem Pundit isn't blocking users properly
我當前所在的用戶不是管理員,但是當我點擊posts控制器的新操作時,便可以看到它。 為什么是這樣? 我如何正確使用pundit?
從Rails控制台: 2.1.2:011> u.admin? =>錯誤
post_policy.rb:
class PostPolicy < ApplicationPolicy
attr_reader :current_user, :model
def initialize(current_user, model)
@current_user = current_user
@post = model
end
def show?
@post.public?
end
def new?
@current_user.admin?
end
def create?
@current_user.admin?
end
def edit?
@current_user.admin?
end
def update?
@current_user.admin?
end
def destroy?
@current_user.admin?
end
結束
posts_controller.rb:
class PostsController < ApplicationController
before_action :set_post, only: [:show, :edit, :update, :destroy]
# GET /posts
# GET /posts.json
def index
@posts = Post.all
end
# GET /posts/1
# GET /posts/1.json
def show
end
# GET /posts/new
def new
@post = Post.new
end
# GET /posts/1/edit
def edit
end
# POST /posts
# POST /posts.json
def create
@post = Post.new(post_params)
respond_to do |format|
if @post.save
format.html { redirect_to @post, notice: 'Post was successfully created.' }
format.json { render :show, status: :created, location: @post }
else
format.html { render :new }
format.json { render json: @post.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /posts/1
# PATCH/PUT /posts/1.json
def update
respond_to do |format|
if @post.update(post_params)
format.html { redirect_to @post, notice: 'Post was successfully updated.' }
format.json { render :show, status: :ok, location: @post }
else
format.html { render :edit }
format.json { render json: @post.errors, status: :unprocessable_entity }
end
end
end
# DELETE /posts/1
# DELETE /posts/1.json
def destroy
@post.destroy
respond_to do |format|
format.html { redirect_to posts_url, notice: 'Post was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_post
@post = Post.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def post_params
params.require(:post).permit(:visible_title, :html_title, :meta_description, :meta_keywords, :url_slug, :partial_name, :author, :post_date, :public, :category, :tags)
end
end
posts / show.html.erb:
標准文件打印出帖子的內容。
您已創建一個策略文件,該文件定義了哪個用戶可以執行哪個操作。
但是,您不會在任何地方調用授權。
def new
@post = Post.new
authorize @post
end
將使用當前用戶執行post對象的授權,並詢問是否允許new
。
官方自述文件對此進行了詳細說明。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.