我尝试使用Rails创建一个非常简单的Web应用程序,并且我使用Sorcery gem来验证用户身份。我在他们的GitHub页面上按照教程here进行操作,并且我没有找到它。
我有2个问题,我认为可能与之相关。
第一个是,当我使用这个before_filter skip_before_filter :require_login, only: [:index, :new, :create]
时,用户仍然可以在不登录的情况下访问该页面。
另一个问题是,当用户尝试登录时,他们没有被重定向,当我使用内置帮助器logged_in?
时,它总是返回false。即使登录时没有错误消息。
我已经添加了相应的控制器,如果您需要查看其他内容,请告诉我。
感谢。
user_sessions_controller.rb
class UserSessionsController < ApplicationController
skip_before_filter :require_login, :except => [:destroy]
def new
@user = User.new
end
def create
if @user = login(params[:email], params[:password])
redirect_back_or_to(:users, :notice => 'Login successfull.')
else
flash.now[:alert] = 'Login failed'
render action: 'new'
end
end
def destroy
logout
redirect_to(:users, :notice => 'Logged out!')
end
end
users_controller.rb
class UsersController < ApplicationController
skip_before_filter :require_login, only: [:index, :new, :create]
# GET /users
# GET /users.json
def index
@users = User.all
end
# GET /users/1
# GET /users/1.json
def show
end
# GET /users/new
def new
@user = User.new
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
@user = User.new(user_params)
respond_to do |format|
if @user.save
format.html { redirect_to :users, notice: 'User was successfully created.' }
format.json { render :show, status: :created, location: @user }
else
format.html { render :new }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /users/1
# PATCH/PUT /users/1.json
def update
respond_to do |format|
if @user.update(user_params)
format.html { redirect_to @user, notice: 'User was successfully updated.' }
format.json { render :show, status: :ok, location: @user }
else
format.html { render :edit }
format.json { render json: @user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
@user.destroy
respond_to do |format|
format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
@user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
#def user_params
# params.require(:user).permit(:email, :crypted_password, :salt)
#end
def user_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
end
application_controller.rb
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
# protect_from_forgery with: :exception
protect_from_forgery
before_filter :require_login
private
def not_authenticated
redirect_to(login_path, :alert => "Please login first")
end
end
答案 0 :(得分:0)
由于此行skip_before_filter :require_login, only: [:index, :new, :create]
,所有人都可以访问用户页面。字面意思是“不检查授权”。只需删除此行。
通常,您应该只在公共页面和登录页面(即require_login
等)上跳过UserSessionsController#create
过滤器。
第二个问题:你的用户模型中有authenticates_with_sorcery!
吗?