【问题标题】:pundit rails 5 can't enforce create method restrictionspundit rails 5 无法强制执行创建方法限制
【发布时间】:2019-01-26 09:22:51
【问题描述】:

每次我在这里提交表单(我搭建的)localhost:3000/syllabus_requests/new

来自 Pundit::NotAuthorizedError 的救援_,带有::user_not_authorized 从我的 ApplicationController.rb 文件中提出来,我不知道为什么,因为在策略类中我有一个创建?方法,它返回true

我正在使用 红宝石'2.3.1' gem 'rails', '~> 5.0.0', '>= 5.0.0.1' gem 'pundit', '~> 1.1'

我有一个政策

class SyllabusRequestPolicy < ApplicationPolicy
  attr_reader :current_user, :model

  def initialize(current_user, model)
    @current_user = current_user || User.new
    @model = model #this is the syllabus_request record from the syllabus_requests table as a rails model object
  end

  def index?
    @current_user.role == "admin"
  end

  def show?
    @current_user.role == "admin" 
  end

  def create?
    true
  end

  def edit?
    @current_user.role == "admin"
  end

  def update?
    @current_user.role == "admin"
  end

  def destroy?
    @current_user.role == "admin"
  end

end

我有一个控制器

class SyllabusRequestsController < ApplicationController
  before_action :set_syllabus_request, only: [:show, :edit, :update, :destroy]

  # GET /syllabus_requests
  # GET /syllabus_requests.json
  def index
    @syllabus_requests = SyllabusRequest.all
    authorize @syllabus_requests
  end

  # GET /syllabus_requests/1
  # GET /syllabus_requests/1.json
  def show
    authorize @syllabus_request
  end

  # GET /syllabus_requests/new
  def new
    @syllabus_request = SyllabusRequest.new
    authorize @syllabus_request
  end

  # GET /syllabus_requests/1/edit
  def edit
    authorize @syllabus_request
  end

  # POST /syllabus_requests
  # POST /syllabus_requests.json
  def create
    @syllabus_request = SyllabusRequest.new(syllabus_request_params)
    authorize @syllabus_request

    respond_to do |format|
      if @syllabus_request.save
        format.html { redirect_to @syllabus_request, notice: 'Syllabus request was successfully created.' }
        format.json { render :show, status: :created, location: @syllabus_request }
      else
        format.html { render :new }
        format.json { render json: @syllabus_request.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /syllabus_requests/1
  # PATCH/PUT /syllabus_requests/1.json
  def update
    authorize @syllabus_request

    respond_to do |format|
      if @syllabus_request.update(syllabus_request_params)
        format.html { redirect_to @syllabus_request, notice: 'Syllabus request was successfully updated.' }
        format.json { render :show, status: :ok, location: @syllabus_request }
      else
        format.html { render :edit }
        format.json { render json: @syllabus_request.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /syllabus_requests/1
  # DELETE /syllabus_requests/1.json
  def destroy
    authorize @syllabus_request
    @syllabus_request.destroy
    respond_to do |format|
      format.html { redirect_to syllabus_requests_url, notice: 'Syllabus request was successfully destroyed.' }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_syllabus_request
      @syllabus_request = SyllabusRequest.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    def syllabus_request_params
      params.require(:syllabus_request).permit(:full_name, :email)
    end
end

我的 ApplicationPolicy.rb 文件如下所示

class ApplicationPolicy
  attr_reader :user, :record

  def initialize(user, record)
    @user = user
    @record = record
  end

  def index?
    false
  end

  def show?
    scope.where(:id => record.id).exists?
  end

  def create?
    binding.pry # this should not hit if I'm overriding it
    false
  end

  def new?
    binding.pry 
    create?
  end

  def update?
    false
  end

  def edit?
    update?
  end

  def destroy?
    false
  end


  def scope
    Pundit.policy_scope!(user, record.class)
  end

  class Scope
    attr_reader :user, :scope

    def initialize(user, scope)
      @user = user
      @scope = scope
    end

    def resolve
      scope
    end
  end
end

我的 ApplicationController.rb 看起来像这样

  include Pundit
  protect_from_forgery with: :exception
  before_action :configure_permitted_parameters, if: :devise_controller?
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:name])
    devise_parameter_sanitizer.permit(:account_update, keys: [:name])
  end

  private

  def user_not_authorized
    # binding.pry
    flash[:alert] = "You are not authorized to perform this action."
    redirect_to(request.referrer || root_path)
  end

end

【问题讨论】:

    标签: ruby-on-rails pundit


    【解决方案1】:

    您是否尝试添加新的?您的 SyllabusRequestPolicy 中的方法?

    【讨论】:

    • 我在 ApplicationPolicy 中有这个,它正在命中 ``` def new? binding.pry 创建?结束```
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2018-05-19
    • 1970-01-01
    • 2014-09-24
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多