我有一个非常标准的设置:Identity::Member是用户,每个Project::Project由成员拥有。我一起使用Devise和Pundit进行身份验证和授权。
这是我Project::ProjectPolicy
class Project::ProjectPolicy < ApplicationPolicy
attr_reader :member, :project
def initialize(member, project)
@member = member
@project = project
end
...
def update?
member == project.member
end
def edit?
update?
end
...
end
这是edit行动:
# GET /projects/1/edit
def edit
authorize @project_project
respond_with @project_project
end
最后,ApplicationController
rescue_from Pundit::NotAuthorizedError, with: :member_not_authorized
def member_not_authorized
respond_with current_member, status: :unauthorized, location: -> { root_path }
end
但是......出于某种原因,点击编辑仍会将您带到编辑视图,尽管所有更改都被阻止,用户被重定向到root_path,就像我指示更新和销毁操作一样。为什么呢?