Fatal编程技术网
  • ruby-on-rails/
  • Ruby on rails Rails 5.2:授权访问ActiveStorage::BlobsController#show

Ruby on rails Rails 5.2:授权访问ActiveStorage::BlobsController#show

ruby-on-rails

Ruby on rails Rails 5.2:授权访问ActiveStorage::BlobsController#show,ruby-on-rails,rails-activestorage,Ruby On Rails,Rails Activestorage,我想授权访问ActiveStorage附件,查看BlobsController()的源代码,说明如下: # Take a signed permanent reference for a blob and turn it into an expiring service URL for download. # Note: These URLs are publicly accessible. If you need to enforce access protection beyond the

我想授权访问
ActiveStorage
附件,查看
BlobsController
()的源代码,说明如下:

# Take a signed permanent reference for a blob and turn it into an expiring service URL for download.
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
# authenticated redirection controller.
class ActiveStorage::BlobsController < ActiveStorage::BaseController
  include ActiveStorage::SetBlob

  def show
    expires_in ActiveStorage.service_urls_expire_in
    redirect_to @blob.service_url(disposition: params[:disposition])
  end
end

#获取blob的签名永久引用,并将其转换为过期的服务URL供下载。
#注意:这些URL是可公开访问的。如果您需要在
#通过签名blob引用的模糊性因素,您需要实现自己的安全性
#经过身份验证的重定向控制器。
类ActiveStorage::BlobsController
但即使上面的注释建议创建一个自定义控制器,我也需要覆盖ActiveStorage生成的路由,因为它们指向原始控制器,并在我的
路由上重新定义它们。rb
似乎引发了一个异常。此外,我不想再公开这些路由,因为它们未经授权,有人可以获取blob的
签名的\u id
,并使用原始端点获取附件。 在应用程序初始化上循环路由,删除旧的ActiveStorage路由并插入新的路由似乎是目前最好的解决方案,但我希望避免这种情况

有什么建议吗 创建一个新控制器以覆盖原始控制器:
app/controllers/active\u storage/blobs\u controller.rb
,然后根据需要添加相应的授权方法:

#app/controllers/active_storage/blobs_controller.rb
class ActiveStorage::BlobsController < ActiveStorage::BaseController
  include ActiveStorage::SetBlob

  def show
    redirect_to @blob.service_url(disposition: params[:disposition])
    authorize! :show, @blob # NOT TESTED!
  end

end
只需要修复,
授权应该放在方法的开头,或者在控制器的顶部放置一个
authorize\u资源


@blob.class #=> ActiveStorage::Blob