使用pundit gem rails

时间:2016-11-15 15:03:22

标签: ruby-on-rails ruby ruby-on-rails-4 pundit

我是铁杆新手所以请耐心等待。我的问题非常具体。我正在创建一个用户博客,他们可以发布任何帖子。所以用户有博客,博客有帖子。因此,当用户创建博客时,他博客中的所有帖子都应该由他编写。其他用户不能写在他们的博客上。

  

post_controller.rb 

class PostsController < ApplicationController
  before_action :authenticate_user!
  before_action :authorize_user!, only: [:edit, :update, :destroy]

  expose :blog
  expose :post

  def show
  end

  def new
  end

  def edit
  end

  def create
    post.user = current_user
    post.save
    respond_with post, location: user_blog_path(post.blog.user, post.blog)
  end

  def update
    post.update(post_params)
    respond_with post, location: user_blog_path(post.blog.user, post.blog)
  end

  def destroy
    post.destroy
    respond_with post, location: user_blog_path(post.blog.user, post.blog)
  end

  private

  def authorize_user!
    authorize(post, :authorized?)
  end

  def post_params
    params.require(:post).permit(:title, :content, :user_id, :blog_id)
  end
end

我在这里使用权威授权用户,当他们更新或销毁帖子时(用户可以更新或销毁他们自己的帖子)并且它完美无缺。

视图/帖/新 

.row
  .columns
    h2 = title("New post")

.row
  .medium-5.columns
    = simple_form_for post do |f|
      = f.error_notification

      .form-inputs
        = f.input :title
        = f.input :content
        = f.hidden_field :blog_id, value: blog.id
      .form-actions
        = f.button :submit

这里我使用隐藏的表单来设置我从params中获取的blog_id。 Http链接看起来像 http://localhost:3000/posts/new?blog_id=6 。问题是每个用户都可以复制此链接以创建帖子(并且他们不是博客所有者)。

post_policy.rb 

class PostPolicy < ApplicationPolicy
  def authorized?
    record.user == user
  end
end

在发布帖子之前,我应该如何检查博客的所有者?也许我有一个错误的方法来创建这样的帖子(使用隐藏的形式)。

创建新帖子的链接 

= link_to 'New Post', new_post_path(blog_id: blog.id)

1 个答案:

答案 0 :(得分:1)

我希望,它会对你有用

<强> application_controller.rb 

  class ApplicationController

      include Pundit

      after_action :verify_authorized, except: :index
      after_action :verify_policy_scoped, only: :index

      before_action :authenticate_admin_user!

      helper_method :current_user

      def pundit_user
        current_admin_user
      end

      def current_user
        @current_user ||= User.find(current_admin_user.id)
      end

    end

<强> posts_controller.rb 

class PostsController < ApplicationController

  before_action :set_blog

  def new
    authorize(Post)
  end

  def edit
    @post = @blog.posts.find(params[:id])
    authorize(@post)
  end

  def index
    @posts = policy_scope(@blog.posts)
  end

  private

  def set_blog
    @blog = current_user.blogs.find(params[:blog_id])
  end

end

<强> post_policy.rb 

class PostPolicy < ApplicationPolicy

  def show?
    true
  end

  def index?
    true
  end

  def new?
    create?
  end

  def create?
    true
  end

  def edit?
    update?
  end

  def update?
    scope_include_object?
  end

  def destroy?
    scope_include_object?
  end

  class Scope < Scope

    def resolve
      scope.joins(:blog).where(blogs: { admin_user_id: user.id })
    end

  end

  def scope_include_object?
    scope.where(id: record.id).exists?
  end

end

<强> 的routes.rb 

Rails.application.routes.draw do
  devise_for :admin_users

  resources :blogs do
    resources :posts
  end
end
相关问题
最新问题