Ruby on rails Rails:三个用户的基本pundit gem设置
我使用的是Ruby on rails Rails:三个用户的基本pundit gem设置,ruby-on-rails,ruby,ruby-on-rails-4,devise,pundit,Ruby On Rails,Ruby,Ruby On Rails 4,Devise,Pundit,我使用的是designe,我按照它设置了三个用户(管理员、卖家、查看者)。每个用户都在模型、会话_控制器、注册_控制器和视图文件夹中拥有与每个用户关联的所有视图 现在,我正在尝试实现pundit gem,以便在每个控制器中设置权限 尝试登录localhost:3000/items时,我遇到以下错误:无法在ItemsController#索引中找到nil的策略Pundit::NotDefinedError 这就是我试图在项目\u控制器中执行的操作: class ItemsController &l
designe
,我按照它设置了三个用户(管理员、卖家、查看者)。每个用户都在模型
、会话_控制器
、注册_控制器
和视图
文件夹中拥有与每个用户关联的所有视图
现在,我正在尝试实现pundit gem
,以便在每个控制器中设置权限
尝试登录localhost:3000/items
时,我遇到以下错误:无法在ItemsController#索引中找到nil的策略Pundit::NotDefinedError
这就是我试图在项目\u控制器中执行的操作:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize @item
@items = Item.all
end
def show
authorize @item
@comments = Comment.where(item_id: @item).order("created_at DESC")
@items = Item.find(params[:id])
end
def new
authorize @item
@item = Item.new
@categories = Category.order(:name)
end
def edit
authorize @item
@categories = Category.order(:name)
end
def create
authorize @item
@item = Item.new(item_params)
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
authorize @item
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
authorize @item
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = Item.find(params[:id])
end
end
策略/应用程序\u policy.rb
class ApplicationPolicy
attr_reader :seller, :record, :admin, :viewer
def initialize(context, record)
raise Pundit::NotAuthorizedError, "must be logged in" unless context
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :seller, :admin, :viewer, :scope
def initialize(context, scope)
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@scope = scope
end
def resolve
scope
end
end
end
政策/项目_policy.rb
class ApplicationPolicy
attr_reader :seller, :record, :admin, :viewer
def initialize(context, record)
raise Pundit::NotAuthorizedError, "must be logged in" unless context
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :seller, :admin, :viewer, :scope
def initialize(context, scope)
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@scope = scope
end
def resolve
scope
end
end
end
我在这里尝试的是。。。管理员拥有完全的访问权限,而卖家只能创建、编辑、更新、删除自己的内容
class ItemPolicy < ApplicationPolicy
attr_reader :item
def initialize(user, item)
super(user, item)
@user = user
@item = record
end
def update?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def index?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def show?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def create?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def new?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def edit?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def destroy?
@user.is_a?(Admin) || @item.try(:user) == @user
end
end
class ItemPolicy
检查控制器的索引您有@项的操作无。
按如下方式更改索引操作:
def index
authorize Item
@items = Item.all
end
检查控制器中的索引操作@item无。
按如下方式更改索引操作:
def index
authorize Item
@items = Item.all
end
在Pundit中,您传递类以授权与特定实例不对应的操作:
def index
authorize Item
@items = policy_scope(Item)
end
还要养成使用policy\u scope
的习惯-它可以让您控制哪些记录可以从策略中获得
在#new
中声明@item
实例变量并创建:
def new
@item = Item.new(item_params)
authorize @item
end
您也可以通过在set\u项
回调中授权以下操作来显著干燥控制器:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize Item
@items = policy_scope(Item)
end
def show
# Use the association
@comments = @item.comments.order("created_at DESC")
end
def new
@item = Item.new
authorize @item
@categories = Category.order(:name)
end
def edit
@categories = Category.order(:name)
end
def create
@item = Item.new(item_params)
authorize @item
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = authorize( Item.find(params[:id]) )
# Or if you are using an older version of Pundit
# @item = Item.find(params[:id])
# authorize @item
end
end
class ItemsController
在Pundit中,您通过类来授权与特定实例不对应的操作:
def index
authorize Item
@items = policy_scope(Item)
end
还要养成使用policy\u scope
的习惯-它可以让您控制哪些记录可以从策略中获得
在#new
中声明@item
实例变量并创建:
def new
@item = Item.new(item_params)
authorize @item
end
您也可以通过在set\u项
回调中授权以下操作来显著干燥控制器:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize Item
@items = policy_scope(Item)
end
def show
# Use the association
@comments = @item.comments.order("created_at DESC")
end
def new
@item = Item.new
authorize @item
@categories = Category.order(:name)
end
def edit
@categories = Category.order(:name)
end
def create
@item = Item.new(item_params)
authorize @item
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = authorize( Item.find(params[:id]) )
# Or if you are using an older version of Pundit
# @item = Item.find(params[:id])
# authorize @item
end
end
class ItemsController