0

您好,我是 ruby​​ on rails 的新手,目前正在做一个练习,我有 3 种类型的用户(管理员、版主和成员)。我将 Pundit gem 与 Devise Gem 一起使用。我被要求定义 Pundit 范围类,以根据用户的角色使帖子可访问。

管理员和版主可以查看所有帖子。登录用户只能看到他的帖子。访客看不到帖子。

这是 PostsController:

class PostsController < ApplicationController
          def index
            @posts = policy_scope(Post.all)
            authorize @posts
          end

          def show
            @post = Post.find(params[:id])
          end

          def new
            @post = Post.new
            authorize @post
          end

          def create 
            @post = current_user.posts.build(params.require(:post).permit(:title, :body))
            authorize @post
            if @post.save
              flash[:notice] = "Post was saved"
              redirect_to @post
            else
              flash[:error] = "There was an error saving the post. Please try again"
              render :new
            end
          end

          def edit
            @post = Post.find(params[:id])
            authorize @post
          end
          def update 
            @post = Post.find(params[:id])
            authorize @post
            if @post.update_attributes(params.require(:post).permit(:title, :body))
              flash[:notice] = "Post was updated."
              redirect_to @post
            else
              flash[:error] = "There was an error saving the post.Please try again."
              render :edit
            end
          end
        end

Here's my application policy:

    class ApplicationPolicy
      attr_reader :user, :record

      def initialize(user, record)
        @user = user
        @record = record
      end

      def index?
        false
      end

      def show?
        scope.where(:id => record.id).exists?
      end

      def create?
        user.present?
      end

      def new?
        create?
      end

      def update?
        user.present? && (record.user == user || user.admin?)
      end

      def edit?
        update?
      end

      def destroy?
        update?
      end

      def scope
        record.class
      end

      class Scope
        attr_reader :user, :scope

        def initialize(user, scope)
          @user = user
          @scope = scope
        end

        def resolve
          scope
        end
      end
    end

还有我的帖子政策:

class PostPolicy < ApplicationPolicy 


  class Scope < Scope 
    def resolve 
      if user.admin? || user.moderator? 
      scope.all

      else
      scope.where(:id => user.id).exists?
      end
    end
  end 


  def index?
    user.admin? || user.id?
  end

end

此外,我是否可以在任何地方阅读或了解有关 Pundit 范围策略和 Rails 授权的更多信息?

4

2 回答 2

0

如果您想使用 Pundit 策略,请确保始终编写在您的用户模型中声明管理员和版主的方法。

def admin?
  role == 'admin'
end

def moderator?
  role == 'moderator'
end
于 2015-03-18T23:11:00.277 回答
0

有一种更好的方法来定义管理员、版主和成员。首先做:

rails g migration AddRoleToUsers role:integer

然后在您的用户模型中进行枚举

enum role: [:member, :moderator, :admin] # add whatever roles you want

枚举会自动为每个角色创建一个

.member? # checks if role is member
.member! # turns the user into a member so like current_user.member!
 # and the same for all other roles.

不确定这是否真的有帮助,但希望你觉得它有用!

于 2015-12-27T17:46:06.390 回答