Ruby on rails 呈现json包含字段上的Rails Pundit策略\u范围
继续我的上一个问题: 我遇到这样一种情况,Ruby on rails 呈现json包含字段上的Rails Pundit策略\u范围,ruby-on-rails,pundit,Ruby On Rails,Pundit,继续我的上一个问题: 我遇到这样一种情况,用户不能查看另一个用户的未发布的章节,这些章节属于作者创建的故事 例如,如果UserA创建了一个名为Targon的故事,并提供了2个已发布章节和2个未发布章节,那么UserB应该只查看Targon故事的已发布章节 通常,通过权威政策范围界定,它限定索引CRUD操作的范围 但是,我需要界定的是在呈现json行期间属于故事的章节: render json: story, include: [:user, :chapters], status: :ok 我试
用户故事
例如,如果UserA
创建了一个名为Targon
的故事,并提供了2个已发布章节和2个未发布章节,那么UserB
应该只查看Targon
故事的已发布章节
通常,通过权威政策范围界定,它限定索引
CRUD操作的范围
但是,我需要界定的是在呈现json行期间属于故事的章节
:
render json: story, include: [:user, :chapters], status: :ok
我试过:
# ---------------------------------------------------------------------------
# ActiveRecord auto-save will kick in and delete all unpublished chapters
# ---------------------------------------------------------------------------
story.chapters = policy_scope(story.chapters)
render json: story, include: [:user, :chapters], status: :ok
根据(has__许多部分),当我重新分配故事时,上述代码将删除属于Targon
的所有未发布章节。章节
:
story.chapters = policy_scope(story.chapters) # BAD
我希望有办法做这样的事情:
render json: story, include: [:user, policy_scope(:chapters)], status: :ok
目前,在不确定故事的范围的情况下。章节
任何ID为16
(Targon)获取故事的用户都将获得JSONAPI:
{
"data": {
"id": "16",
"type": "stories",
"attributes": {
"title": "Mount Targon",
"summary": "Mount Targon is the mightiest peak in Runeterra, a towering peak of sun-baked rock amid a range of summits unmatched in scale anywhere else in the world. Located far from civilization, Mount Targon is utterly remote and all but impossible to reach save by the most determined seeker. Many legends cling to Mount Targon, and, like any place of myth, it is a beacon to dreamers, madmen and questors of adventure. Some of these brave souls attempt to scale the impossible mountain, perhaps seeking wisdom or enlightenment, perhaps chasing glory or some soul-deep yearning to witness its summit. The ascent is all but impossible, and those hardy few who somehow survive to reach the top almost never speak of what they have seen. Some return with a haunted, empty look in their eyes, others changed beyond all recognition, imbued by an Aspect of unearthly, inhuman power with a destiny few mortals can comprehend.",
"published": true,
"published-date": "2017-11-02T10:35:33.184Z",
"created-at": "2017-11-02T10:35:33.184Z",
"updated-at": "2017-11-04T07:35:04.083Z",
"cover": {
"url": "http://res.cloudinary.com/chewedon/image/upload/v1509780931/c8ubn3tfivxziyxwynsa.png",
"standard": {
"url": "http://res.cloudinary.com/chewedon/image/upload/c_fill,g_north,h_300,w_200/c8ubn3tfivxziyxwynsa.png"
}
}
},
"relationships": {
"user": {
"data": {
"id": "1",
"type": "users"
}
},
"chapters": {
"data": [{
"id": "26",
"type": "chapters"
}, {
"id": "27",
"type": "chapters"
}, {
"id": "37",
"type": "chapters"
}, {
"id": "38",
"type": "chapters"
}]
}
}
},
"included": [{
"id": "1",
"type": "users",
"attributes": {
"username": "Chewedon",
"photo": {
"url": "http://res.cloudinary.com/chewedon/image/upload/v1509857442/nx1tqlcdxrhz6r3kjx87.jpg",
"standard": {
"url": "http://res.cloudinary.com/chewedon/image/upload/c_fill,g_north,h_150,w_150/nx1tqlcdxrhz6r3kjx87.jpg"
}
}
},
"relationships": {
"stories": {
"data": [{
"id": "1",
"type": "stories"
}, {
"id": "2",
"type": "stories"
}, {
"id": "3",
"type": "stories"
}, {
"id": "4",
"type": "stories"
}, {
"id": "5",
"type": "stories"
}, {
"id": "6",
"type": "stories"
}, {
"id": "8",
"type": "stories"
}, {
"id": "9",
"type": "stories"
}, {
"id": "10",
"type": "stories"
}, {
"id": "11",
"type": "stories"
}, {
"id": "12",
"type": "stories"
}, {
"id": "13",
"type": "stories"
}, {
"id": "14",
"type": "stories"
}, {
"id": "15",
"type": "stories"
}, {
"id": "16",
"type": "stories"
}]
}
}
}]
}
在关系部分,章节37
和38
未发布,导致在我的余烬前端禁止403
理想情况下,服务器应该在返回记录之前确定这些字段的范围,但由于我在上面描述的错误以及我在上一个Stackoverflow问题中的错误,我被困在如何使用Pundit确定包含字段的范围上
有什么想法吗?感谢上一个链接问题中的用户oowowaee,他建议覆盖故事
序列化程序的章节
字段(我不知道您可以这么做),代码现在正在工作,记录不会从数据库中删除
class StorySerializer < ActiveModel::Serializer
include Pundit
attributes :id, :title, :summary, :published, :published_date, :created_at, :updated_at, :cover
belongs_to :user
has_many :chapters
# ------------------------------------------------------------------------
# Note: need to use 'object.chapters' not 'self.chapters` below.
# ------------------------------------------------------------------------
def chapters
policy_scope(object.chapters)
end
end
class StorySerializer
感谢上一个链接问题中的用户oowowaee,他建议覆盖故事
序列化程序的章节
字段(我不知道您可以这样做),代码现在正在工作,记录不会从数据库中删除
class StorySerializer < ActiveModel::Serializer
include Pundit
attributes :id, :title, :summary, :published, :published_date, :created_at, :updated_at, :cover
belongs_to :user
has_many :chapters
# ------------------------------------------------------------------------
# Note: need to use 'object.chapters' not 'self.chapters` below.
# ------------------------------------------------------------------------
def chapters
policy_scope(object.chapters)
end
end
class StorySerializer