0

The current user i'm on isn't an admin, however when I hit the new action of the posts controller, I'm able to see it. Why is this? How do I use pundit properly?

From the rails console: 2.1.2 :011 > u.admin? => false

post_policy.rb:

class PostPolicy < ApplicationPolicy

attr_reader :current_user, :model

def initialize(current_user, model)
  @current_user = current_user
  @post = model
end

def show?
@post.public?
end

def new?
    @current_user.admin?
end

def create?
    @current_user.admin?
end

def edit?
    @current_user.admin?
end

def update?
  @current_user.admin?
end

def destroy?
  @current_user.admin?
end

end

posts_controller.rb:

class PostsController < ApplicationController
  before_action :set_post, only: [:show, :edit, :update, :destroy]

  # GET /posts
  # GET /posts.json
  def index
    @posts = Post.all
  end

  # GET /posts/1
  # GET /posts/1.json
  def show
  end

  # GET /posts/new
  def new
    @post = Post.new
  end

  # GET /posts/1/edit
  def edit
  end

  # POST /posts
  # POST /posts.json
  def create
    @post = Post.new(post_params)

    respond_to do |format|
      if @post.save
        format.html { redirect_to @post, notice: 'Post was successfully created.' }
        format.json { render :show, status: :created, location: @post }
      else
        format.html { render :new }
        format.json { render json: @post.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /posts/1
  # PATCH/PUT /posts/1.json
  def update
    respond_to do |format|
      if @post.update(post_params)
        format.html { redirect_to @post, notice: 'Post was successfully updated.' }
        format.json { render :show, status: :ok, location: @post }
      else
        format.html { render :edit }
        format.json { render json: @post.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /posts/1
  # DELETE /posts/1.json
  def destroy
    @post.destroy
    respond_to do |format|
      format.html { redirect_to posts_url, notice: 'Post was successfully destroyed.' }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_post
      @post = Post.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    def post_params
      params.require(:post).permit(:visible_title, :html_title, :meta_description, :meta_keywords, :url_slug, :partial_name, :author, :post_date, :public, :category, :tags)
    end
end

posts/show.html.erb:

standard file printing out the contents of the post.

4

1 回答 1

2

您已经创建了一个策略文件,该文件定义了哪些用户可以采取哪些操作。

但是,您不会在任何地方调用授权。

def new
  @post = Post.new
  authorize @post
end

将执行 post 对象的授权,使用当前用户,并询问是否new允许。

这在官方自述文件中有详细说明。

于 2014-08-13T18:59:09.940 回答