Pundit 范围界定,如何让成员只能看到他们的帖子?
Pundit scoping, how to make a member only see their posts?
我正在为我的学校作业授权,这是一个 Reddit 克隆。我刚刚被介绍给 Pundit Gem 以对用户角色进行授权,即管理员、版主、成员和访客。
我必须这样做:
Admins and Moderators should see all posts, members should only see their own posts, and guests should see no posts.
Sign in as a normal user, and you should only see the posts you've created.
application_policy.rb
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
# Checks if user exists and is logged in
user.present?
end
def new?
create?
end
def update?
# Checks if user is logged in, the owner or admin
user.present? && (record.user == user || user.admin?)
end
def edit?
update?
end
def destroy?
update?
end
def scope
record.class
end
end
这是我正在做的事情:
这将检查用户是否在场,以及用户是否是版主或管理员,并且只授予他们查看帖子的权限。就像说明状态一样工作。
post_policy.rb
class PostPolicy < ApplicationPolicy
def index?
user.present? && (user.moderator? || user.admin?)
end
end
现在,如果我回头看看我的 application_policy.rb,我会在这里看到这一行,“检查用户是否登录、所有者或管理员”:
user.preset? && (record.user == user || user.admin?)
如果我尝试将此添加到我的索引授权中?我会继续得到一个
"NoMethodError in PostsController#index"
class PostPolicy < ApplicationPolicy
def index?
user.present? && (user.moderator? || user.admin? || record.user == user)
end
end
谢谢。
使用范围:https://github.com/elabs/pundit#scopes
在您的情况下 PostPolicy.rb 应该如下所示:
class PostPolicy < ApplicationPolicy
def index?
true
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
if user.admin? || user.moderator?
scope.all
else
scope.where(user: user)
end
end
end
end
我正在为我的学校作业授权,这是一个 Reddit 克隆。我刚刚被介绍给 Pundit Gem 以对用户角色进行授权,即管理员、版主、成员和访客。
我必须这样做:
Admins and Moderators should see all posts, members should only see their own posts, and guests should see no posts.
Sign in as a normal user, and you should only see the posts you've created.
application_policy.rb
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
# Checks if user exists and is logged in
user.present?
end
def new?
create?
end
def update?
# Checks if user is logged in, the owner or admin
user.present? && (record.user == user || user.admin?)
end
def edit?
update?
end
def destroy?
update?
end
def scope
record.class
end
end
这是我正在做的事情:
这将检查用户是否在场,以及用户是否是版主或管理员,并且只授予他们查看帖子的权限。就像说明状态一样工作。
post_policy.rb
class PostPolicy < ApplicationPolicy
def index?
user.present? && (user.moderator? || user.admin?)
end
end
现在,如果我回头看看我的 application_policy.rb,我会在这里看到这一行,“检查用户是否登录、所有者或管理员”:
user.preset? && (record.user == user || user.admin?)
如果我尝试将此添加到我的索引授权中?我会继续得到一个
"NoMethodError in PostsController#index"
class PostPolicy < ApplicationPolicy
def index?
user.present? && (user.moderator? || user.admin? || record.user == user)
end
end
谢谢。
使用范围:https://github.com/elabs/pundit#scopes
在您的情况下 PostPolicy.rb 应该如下所示:
class PostPolicy < ApplicationPolicy
def index?
true
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
if user.admin? || user.moderator?
scope.all
else
scope.where(user: user)
end
end
end
end