巫术宝石 - 已登录?总是返回false

时间:2015-03-04 15:41:40

标签: ruby-on-rails ruby ruby-on-rails-4 sorcery

我尝试使用Rails创建一个非常简单的Web应用程序,并且我使用Sorcery gem来验证用户身份。我在他们的GitHub页面上按照教程here进行操作,并且我没有找到它。

我有2个问题,我认为可能与之相关。 第一个是,当我使用这个before_filter skip_before_filter :require_login, only: [:index, :new, :create]时,用户仍然可以在不登录的情况下访问该页面。

另一个问题是,当用户尝试登录时,他们没有被重定向,当我使用内置帮助器logged_in?时,它总是返回false。即使登录时没有错误消息。

我已经添加了相应的控制器,如果您需要查看其他内容,请告诉我。

感谢。

user_sessions_controller.rb 

class UserSessionsController < ApplicationController
  skip_before_filter :require_login, :except => [:destroy]

  def new
    @user = User.new
  end

  def create
    if @user = login(params[:email], params[:password])
      redirect_back_or_to(:users, :notice => 'Login successfull.')
    else
      flash.now[:alert] = 'Login failed'
      render action: 'new'
    end
  end

  def destroy
    logout
    redirect_to(:users, :notice => 'Logged out!')
  end
end

users_controller.rb 

class UsersController < ApplicationController
  skip_before_filter :require_login, only: [:index, :new, :create]

  # GET /users
  # GET /users.json
  def index
    @users = User.all
  end

  # GET /users/1
  # GET /users/1.json
  def show
  end

  # GET /users/new
  def new
    @user = User.new
  end

  # GET /users/1/edit
  def edit
  end

  # POST /users
  # POST /users.json
  def create
    @user = User.new(user_params)

    respond_to do |format|
      if @user.save
        format.html { redirect_to :users, notice: 'User was successfully created.' }
        format.json { render :show, status: :created, location: @user }
      else
        format.html { render :new }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /users/1
  # PATCH/PUT /users/1.json
  def update
    respond_to do |format|
      if @user.update(user_params)
        format.html { redirect_to @user, notice: 'User was successfully updated.' }
        format.json { render :show, status: :ok, location: @user }
      else
        format.html { render :edit }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /users/1
  # DELETE /users/1.json
  def destroy
    @user.destroy
    respond_to do |format|
      format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
      format.json { head :no_content }
    end
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_user
      @user = User.find(params[:id])
    end

    # Never trust parameters from the scary internet, only allow the white list through.
    #def user_params
    #  params.require(:user).permit(:email, :crypted_password, :salt)
    #end

    def user_params
      params.require(:user).permit(:email, :password, :password_confirmation)
  end
end

application_controller.rb 

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  # protect_from_forgery with: :exception
  protect_from_forgery

  before_filter :require_login


  private
    def not_authenticated
      redirect_to(login_path, :alert => "Please login first")
    end

end

1 个答案:

答案 0 :(得分:0)

由于此行skip_before_filter :require_login, only: [:index, :new, :create],所有人都可以访问用户页面。字面意思是“不检查授权”。只需删除此行。

通常,您应该只在公共页面和登录页面(即require_login等)上跳过UserSessionsController#create过滤器。

第二个问题:你的用户模型中有authenticates_with_sorcery!吗?

相关问题
最新问题