我是一名初级开发人员,使用rails 4.2.4,Devise和Pin脚手架构建电子商务Web应用程序。
现在,用户可以注册,登录然后在index.html.erb上创建,读取更新,删除别针。
问题:我不希望登录的用户能够进行CRUD(仅阅读)。
我想设置它,所以我作为ADMIN只能创建,更新或销毁。用户和访客只能阅读。
我几周来一直在努力解决这个问题,并且非常感谢能帮助我实现这一目标。
这是我的PinsController
class PinsController < ApplicationController
before_action :set_pin, only: [:show, :edit, :update, :destroy]
before_action :correct_user, only: [:edit, :update, :destroy]
before_action :authenticate_user!, except: [:index, :show]
def index
if params[:search].present? && !params[:search].nil?
@pins = Pin.where("description LIKE ?", "%#{params[:search]}%").paginate(:page => params[:page], :per_page => 15)
else
@pins = Pin.all.order("created_at DESC").paginate(:page => params[:page], :per_page => 15)
end
end
def show
end
def new
@pin = current_user.pins.build
authorize(@pin)
end
def edit
end
def create
@pin = current_user.pins.build(pin_params)
if @pin.save
redirect_to @pin, notice: 'Pin was successfully created.'
else
render :new
end
end
def update
if @pin.update(pin_params)
redirect_to @pin, notice: 'Pin was successfully updated.'
else
render :edit
end
end
def destroy
@pin.destroy
redirect_to pins_url
end
private
# Use callbacks to share common setup or constraints between actions.
def set_pin
@pin = Pin.find_by(id: params[:id])
end
def correct_user
@pin = current_user.pins.find_by(id: params[:id])
redirect_to pins_path, notice: "Not authorized to edit this pin" if @pin.nil?
end
# Never trust parameters from the scary internet, only allow the white list through.
def pin_params
params.require(:pin).permit(:description, :image)
end
end
这是我的Index.html.erb
<h1>For Sale</h1>
<%= form_tag pins_path, method: :get do %>
<div class="field">
<%= label_tag :Description %>
<%= text_field_tag :search %>
<%= submit_tag "Search", name: nil, class: "btn btn-success btn-sm" %>
<%= link_to 'Clear', pins_path, class: 'btn btn-danger btn-sm' %>
<% end %>
<div id="pins" class="transitions-enabled">
<% @pins.each do |pin| %>
<div class="box panel panel-default">
<%= link_to image_tag(pin.image.url(:medium)), pin %>
<div class="panel-body">
<%= pin.description %>
<%= link_to 'Show', pin_path(pin) %>
<% if current_user && pin.user == current_user %>
<%= link_to 'Edit', edit_pin_path(pin) %>
<%= link_to 'Destroy', pin, method: :delete, data: { confirm: 'Are you sure?' } %>
<% end %>
</div>
</div>
<% end %>
</div>
<div class="center">
<%= will_paginate @pins, renderer: BootstrapPagination::Rails %>
</div>
<div class=text-right>
<% if user_signed_in? %>
<%= link_to 'Post a Free Ad', new_pin_path, class: "btn btn-warning btn-lg" %>
</div>
<% end %>
<br>
答案 0 :(得分:2)
您希望每个人(已登录用户或只是任务)都能够访问index和show方法。所有其他方法仅供管理员使用。
第一步:我们需要一种识别管理员的方法。在admin模型中添加布尔User属性。在命令行上运行以下命令以创建新迁移:
$ rails g migration add_admin_to_users admin:boolean
打开生成的文件并向其添加default: false,它应如下所示:
class AddAdminToUsers < ActiveRecord::Migration
def change
add_column :users, :admin, :boolean, default: false
end
end
现在运行rake db:migrate将该列添加到数据库中。
下一步是授予您自己的用户管理权限。登录rails控制台(使用$ rails c)。找到您的用户并将用户的admin标记更新为true:
> user = User.find_by(email: 'your-eamiladdress@example.tld')
> user.admin = true
> user.save
> user.admin?
# => true
如您所见,Rails会自动向用户添加admin?方法。我们现在在控制器中使用该方法:
before_action :find_pin, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!, except: [:index, :show]
before_action :ensure_admin, except: [:index, :show]
使用此private方法:
def find_pin
@pin = Pin.find(params[:id]) # renders 404 in production when pin isn't found
end
def ensure_admin
unless current_user.admin?
redirect_to(pins_path, notice: 'Not authorized to edit this pin')
end
end
在视图中使用相同的admin?方法隐藏非管理员的edit和destroy个链接:
<%= link_to 'Show', pin_path(pin) %>
<% if current_user && current_user.admin? %>
<%= link_to 'Edit', edit_pin_path(pin) %>
<%= link_to 'Destroy', pin, method: :delete, data: { confirm: 'Are you sure?' } %>
<% end %>