我的网站出现以下问题。我创建了一堆api调用,可以被其他人使用,但主要是前端。我的问题是出于某种原因,似乎Authlogic在调用控制器和专家之前没有对我的用户进行身份验证。有趣的是,这只发生在TrackingController而没有发生在其他人身上。
我确实需要做一些技巧来让Authlogic在头文件而不是url参数上进行身份验证。我的ShiftsController再次正常,但我的TrackingController无效。
我已经能够找到缺少导致user错误的CalShiftArchivePolicy对象。如果我注释掉第5行,代码将在第11行停止,并显示错误:
"未定义的方法`has_roles?'为零:NilClass"
任何帮助都会很棒。
Ruby版本2.1.5p273,Rails版本4.1.8
在我的控制器中我有:
class TrackingController < ApplicationController
include Pundit
after_action :verify_authorized
def index
@tracking = CalShiftArchive.where("cal_shift_id = :id", :id => params[:shift_id])
authorize @tracking, :index?
end
end
Pundit政策:
class CalShiftArchivePolicy < ApplicationPolicy
attr_reader :user, :tracking
def initialize(user, shifts)
raise Pundit::NotAuthorizedError, "must be logged in" unless user
@user = user
@tracking = :tracking
end
def index?
user.has_roles?("CalAdmin")
end
端
应用程序控制器:
class ApplicationController < ActionController::Base
include Pundit
before_filter :api_logon
helper_method :current_user_session, :current_user
before_filter :set_current_user
protect_from_forgery with: :exception
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
def current_user_session
return @current_user_session if defined?(@current_user_session)
@current_user_session = UserSession.find
end
def current_user
return @current_user if defined?(@current_user)
@current_user = current_user_session && current_user_session.user
end
protected
def permission_denied
flash[:error] = "Sorry, you are not allowed to access that page."
redirect_to root_url
end
def api_logon
if request.headers["apiKey"]
params['user_credentials'] = request.headers["apiKey"]
end
end
private
def user_not_authorized
respond_to do |format|
format.html do
flash[:error] = "You are not authorized to perform that action action."
redirect_to(request.referrer || root_path)
end
format.xml { render :xml => "<error>You are not authorized to access that resource</error>", :status => 403 }
format.json { render :json =>
{:error => "You are not authorized to access that resource "}.to_json,
:status => 403 }
end
end
#----------------- Model Current_user workaround
# passes the current_user object to a thread safe
# object that can be accesssed in models.
def set_current_user
User.current_user = current_user
end
end
路由:
Rails.application.routes.draw do
#root rout - main page location
root to: 'welcome#index'
#Login and Logout routes
resources :user_sessions
get 'login' => 'user_sessions#new', :as => :login
get 'logout' => 'user_sessions#destroy', :as => :logout
resources :users do
patch 'suppress', on: :member
patch 'unsuppress', on: :member
patch 'activate', on: :member
patch 'lock', on: :member
patch 'unlock', on: :member
patch 'password', on: :member
end
resources :shifts, except: [:new, :edit] do
patch 'submit', on: :member
patch 'acquire', on: :member
resources :tracking, except: [:new, :edit, :destroy, :update, :create]
end
end
答案 0 :(得分:1)
简单的答案 - 愚蠢..
我忘记了当您使用authlogic和单一访问令牌选项时,您需要通过添加以下类来清除每个控制器以使用单一访问令牌:
def single_access_allowed?
true
end
我传递的是真实的,而不是允许的视图的哈希,因为我的所有视图都是api调用,我希望能够使用对我的所有操作进行的单一访问。