2

我有一个非常标准的设置:Identity::Member是用户,每个Project::Project人都归一个成员所有。我将DeviseandPundit一起用于身份验证和授权。

这是我的代码Project::ProjectPolicy

class Project::ProjectPolicy < ApplicationPolicy
  attr_reader :member, :project

  def initialize(member, project)
    @member = member
    @project = project
  end

  ...

  def update?
    member == project.member
  end

  def edit?
    update?
  end

  ...

end

这是我的edit行动:

  # GET /projects/1/edit
  def edit
    authorize @project_project
    respond_with @project_project
  end

最后,救援设置在ApplicationController

rescue_from Pundit::NotAuthorizedError, with: :member_not_authorized

def member_not_authorized
  respond_with current_member, status: :unauthorized, location: -> { root_path }
end

但是...由于某种原因,单击编辑仍会将您带到编辑视图,尽管所有更改都被阻止并且用户被重定向到 root_path,就像我指示的更新和销毁操作一样。为什么?

4

0 回答 0