Rails:适用于三个用户的基本pundit gem设置
Rails:适用于三个用户的基本pundit gem设置
提问于 2017-10-05 19:48:34
我正在使用devise,并且我遵循this来设置三个用户(管理员、卖家、查看者)。每个用户都将其放在model、session_controller、registration_conttroler和views文件夹中,其中包含与每个用户关联的所有视图。
现在,我正在尝试实现pundit gem,以便在每个controller中设置权限。
在尝试登录localhost:3000/items时,我收到以下错误:unable to find policy of nil Pundit::NotDefinedError in ItemsController#index
这就是我在items_controller中尝试做的事情
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize @item
@items = Item.all
end
def show
authorize @item
@comments = Comment.where(item_id: @item).order("created_at DESC")
@items = Item.find(params[:id])
end
def new
authorize @item
@item = Item.new
@categories = Category.order(:name)
end
def edit
authorize @item
@categories = Category.order(:name)
end
def create
authorize @item
@item = Item.new(item_params)
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
authorize @item
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
authorize @item
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = Item.find(params[:id])
end
endapplication_controller.rb
class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery prepend: true
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
def pundit_user
CurrentContext.new(current_seller, current_admin, current_viewer)
end
private
def user_not_authorized(exception)
policy_name = exception.policy.class.to_s.underscore
flash[:warning] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
redirect_to(request.referrer || root_path)
end
endmodels/current_context.rb
class CurrentContext
attr_reader :seller, :admin, :viewer
def initialize(seller, admin, viewer)
@seller = seller
@admin = admin
@viewer = viewer
end
end策略/application_policy.rb
class ApplicationPolicy
attr_reader :seller, :record, :admin, :viewer
def initialize(context, record)
raise Pundit::NotAuthorizedError, "must be logged in" unless context
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :seller, :admin, :viewer, :scope
def initialize(context, scope)
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@scope = scope
end
def resolve
scope
end
end
endpolicies/item_policy.rb
我想说的是..。管理员要有完全的访问权限,而卖家只能创建、编辑、更新、删除自己的内容。
class ItemPolicy < ApplicationPolicy
attr_reader :item
def initialize(user, item)
super(user, item)
@user = user
@item = record
end
def update?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def index?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def show?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def create?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def new?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def edit?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def destroy?
@user.is_a?(Admin) || @item.try(:user) == @user
end
end回答 2
Stack Overflow用户
发布于 2017-10-05 22:41:43
检查控制器的索引操作,您的@item为空。更改索引操作,如下所示:
def index
authorize Item
@items = Item.all
endStack Overflow用户
发布于 2017-10-05 23:09:31
在Pundit中,您可以传递类来授权与特定实例不对应的操作:
def index
authorize Item
@items = policy_scope(Item)
end另外,养成使用policy_scope的习惯--它可以让你控制策略中哪些记录是可用的。
在#new和create中声明实例变量之前,还需要使用@item实例变量:
def new
@item = Item.new(item_params)
authorize @item
end你也可以通过在你的set_item回调中授权来大大地干燥控制器:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize Item
@items = policy_scope(Item)
end
def show
# Use the association
@comments = @item.comments.order("created_at DESC")
end
def new
@item = Item.new
authorize @item
@categories = Category.order(:name)
end
def edit
@categories = Category.order(:name)
end
def create
@item = Item.new(item_params)
authorize @item
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = authorize( Item.find(params[:id]) )
# Or if you are using an older version of Pundit
# @item = Item.find(params[:id])
# authorize @item
end
end页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/46584860
复制相关文章
相似问题
腾讯云开发者
