Rails 5.2:授权访问ActiveStorage::BlobsController#show
Rails 5.2: authorize access to ActiveStorage::BlobsController#show
我想授权访问 ActiveStorage 附件并查看 BlobsController (https://github.com/rails/rails/blob/master/activestorage/app/controllers/active_storage/blobs_controller.rb) 的源代码如下:
# Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
# authenticated redirection controller.
class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
expires_in ActiveStorage.service_urls_expire_in
redirect_to @blob.service_url(disposition: params[:disposition])
end
end
但即使上面的注释建议创建一个自定义控制器,我也需要覆盖 ActiveStorage 生成的路由,因为它们指向原始控制器,并且在我的 routes.rb 上重新定义它们似乎抛出一个例外。此外,我不想再公开这些路由,因为它们未被授权,并且有人可以使用 blob 的 signed_id 并使用原始端点获取附件。
在应用程序初始化时循环遍历路由并删除旧的 ActiveStorage 路由并插入新的路由似乎是目前最好的解决方案,但我想避免这种情况。
有什么建议吗?
创建一个新的控制器来覆盖原来的:app/controllers/active_storage/blobs_controller.rb 然后根据您的需要添加相应的授权方法:
#app/controllers/active_storage/blobs_controller.rb
class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
redirect_to @blob.service_url(disposition: params[:disposition])
authorize! :show, @blob # NOT TESTED!
end
end
单击附件的 link 时会触发 show 操作。
@blob.class #=> ActiveStorage::Blob
我想授权访问 ActiveStorage 附件并查看 BlobsController (https://github.com/rails/rails/blob/master/activestorage/app/controllers/active_storage/blobs_controller.rb) 的源代码如下:
# Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
# authenticated redirection controller.
class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
expires_in ActiveStorage.service_urls_expire_in
redirect_to @blob.service_url(disposition: params[:disposition])
end
end
但即使上面的注释建议创建一个自定义控制器,我也需要覆盖 ActiveStorage 生成的路由,因为它们指向原始控制器,并且在我的 routes.rb 上重新定义它们似乎抛出一个例外。此外,我不想再公开这些路由,因为它们未被授权,并且有人可以使用 blob 的 signed_id 并使用原始端点获取附件。
在应用程序初始化时循环遍历路由并删除旧的 ActiveStorage 路由并插入新的路由似乎是目前最好的解决方案,但我想避免这种情况。
有什么建议吗?
创建一个新的控制器来覆盖原来的:app/controllers/active_storage/blobs_controller.rb 然后根据您的需要添加相应的授权方法:
#app/controllers/active_storage/blobs_controller.rb
class ActiveStorage::BlobsController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
def show
redirect_to @blob.service_url(disposition: params[:disposition])
authorize! :show, @blob # NOT TESTED!
end
end
单击附件的 link 时会触发 show 操作。
@blob.class #=> ActiveStorage::Blob