Pundit - 政策不被认可
Pundit - Policies are not recognised
我正在实施专家并希望将 user#edit 和 user#update 操作限制为仅 current_user
def edit
@user = current_user
authorize(@user)
end
def update
@user = current_user
authorise(@user)
if @user.update_attributes(user_params)
flash[:success] = "Profile updated"
redirect_to edit_user_path
else
render 'edit'
end
end
以下是我尝试过的策略,其中 (a) 行不通且 (b) 不合逻辑。
class UserPolicy
attr_reader :user, :user
def initialise(user, user)
@user = user
end
def update?
true
end
alias_method :edit?, :update?
end
我现在已经按照以下更新了我的 UserPolicy。我已将操作设置为 false 以进行测试,因为所有内容都已获得授权:
class UserPolicy < ApplicationPolicy
def new?
create?
end
def create?
false
end
def edit?
update?
end
def update?
false
#user.id == record.id
end
end
但是我的政策没有被认可。进一步阅读后,我将以下内容添加到我的 ApplicationController 中:
after_filter :verify_authorized, except: :index
after_filter :verify_policy_scoped, only: :index
当我现在导航到我的用户#edit 操作时,我收到:
Pundit::AuthorizationNotPerformedError
首先,确保你有...
your-app/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
include Pundit
end
your-app/app/policies/application_policy.rb 具有常用操作的默认权限。
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
scope
end
end
然后,在您的 UserPolicy
your-app/app/policies/section_policy.rb
class UserPolicy < ApplicationPolicy
def edit?
user.id == record.id
end
def update?
edit?
end
end
因此,默认情况下,user 将是您的当前用户,record 将是在编辑和更新操作中定义的 @user。
您不需要显式调用 authorize 方法。 Pundit 知道如何处理您的 @user 属性。所以,你的控制器应该是:
def edit
user
end
def update
if user.update_attributes(user_params)
flash[:success] = "Profile updated"
redirect_to edit_user_path
else
render 'edit'
end
end
private
def user
@user ||= User.find(params[:id])
end
you must know if you don't have a current_user method, yo will need to define a pundit_user in your application controller.
我正在实施专家并希望将 user#edit 和 user#update 操作限制为仅 current_user
def edit
@user = current_user
authorize(@user)
end
def update
@user = current_user
authorise(@user)
if @user.update_attributes(user_params)
flash[:success] = "Profile updated"
redirect_to edit_user_path
else
render 'edit'
end
end
以下是我尝试过的策略,其中 (a) 行不通且 (b) 不合逻辑。
class UserPolicy
attr_reader :user, :user
def initialise(user, user)
@user = user
end
def update?
true
end
alias_method :edit?, :update?
end
我现在已经按照以下更新了我的 UserPolicy。我已将操作设置为 false 以进行测试,因为所有内容都已获得授权:
class UserPolicy < ApplicationPolicy
def new?
create?
end
def create?
false
end
def edit?
update?
end
def update?
false
#user.id == record.id
end
end
但是我的政策没有被认可。进一步阅读后,我将以下内容添加到我的 ApplicationController 中:
after_filter :verify_authorized, except: :index
after_filter :verify_policy_scoped, only: :index
当我现在导航到我的用户#edit 操作时,我收到:
Pundit::AuthorizationNotPerformedError
首先,确保你有...
your-app/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
include Pundit
end
your-app/app/policies/application_policy.rb 具有常用操作的默认权限。
class ApplicationPolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :user, :scope
def initialize(user, scope)
@user = user
@scope = scope
end
def resolve
scope
end
end
然后,在您的 UserPolicy
your-app/app/policies/section_policy.rb
class UserPolicy < ApplicationPolicy
def edit?
user.id == record.id
end
def update?
edit?
end
end
因此,默认情况下,user 将是您的当前用户,record 将是在编辑和更新操作中定义的 @user。
您不需要显式调用 authorize 方法。 Pundit 知道如何处理您的 @user 属性。所以,你的控制器应该是:
def edit
user
end
def update
if user.update_attributes(user_params)
flash[:success] = "Profile updated"
redirect_to edit_user_path
else
render 'edit'
end
end
private
def user
@user ||= User.find(params[:id])
end
you must know if you don't have a
current_usermethod, yo will need to define a pundit_user in your application controller.