Rails Gem Pundit并没有正确阻止用户

时间:2014-08-13 15:03:20

标签: ruby-on-rails pundit

我当前的用户不是管理员,但是当我点击帖子控制器的新动作时,我能够看到它。为什么是这样?我如何正确使用权威?

来自rails控制台:     2.1.2:011> u.admin?     =>假的

post_policy.rb: 

class PostPolicy < ApplicationPolicy

attr_reader :current_user, :model

def initialize(current_user, model)
  @current_user = current_user
  @post = model
end

def show?
@post.public?
end

def new?
    @current_user.admin?
end

def create?
    @current_user.admin?
end

def edit?
    @current_user.admin?
end

def update?
  @current_user.admin?
end

def destroy?
  @current_user.admin?
end

posts_controller.rb: 

class PostsController < ApplicationController
  before_action :set_post, only: [:show, :edit, :update, :destroy]

  # GET /posts
  # GET /posts.json
  def index
    @posts = Post.all
  end

  # GET /posts/1
  # GET /posts/1.json
  def show
  end

  # GET /posts/new
  def new
    @post = Post.new
  end

  # GET /posts/1/edit
  def edit
  end

  # POST /posts
  # POST /posts.json
  def create
    @post = Post.new(post_params)

    respond_to do |format|
      if @post.save
        format.html { redirect_to @post, notice: 'Post was successfully created.' }
        format.json { render :show, status: :created, location: @post }
      else
        format.html { render :new }
        format.json { render json: @post.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /posts/1
  # PATCH/PUT /posts/1.json
  def update
    respond_to do |format|
      if @post.update(post_params)
        format.html { redirect_to @post, notice: 'Post was successfully updated.' }
        format.json { render :show, status: :ok, location: @post }
      else
        format.html { render :edit }
        format.json { render json: @post.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /posts/1
  # DELETE /posts/1.json
  def destroy
    @post.destroy
    respond_to do |format|
      format.html { redirect_to posts_url, notice: 'Post was successfully destroyed.' }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_post
      @post = Post.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    def post_params
      params.require(:post).permit(:visible_title, :html_title, :meta_description, :meta_keywords, :url_slug, :partial_name, :author, :post_date, :public, :category, :tags)
    end
end

帖/ show.html.erb:

标准文件打印出帖子的内容。

1 个答案:

答案 0 :(得分:2)

您已创建一个策略文件,用于定义哪个用户可以执行哪个操作。

但是,您不能在任何地方致电授权。

def new
  @post = Post.new
  authorize @post
end

将使用当前用户执行post对象的授权,并询问是否允许new

official readme

详细说明了这一点
相关问题
最新问题