我正在使用devise,我关注this以设置三个用户(管理员,卖家,查看者)。每个用户都有model,session_controller,registration_conttroler和views文件夹,其中包含与每个用户关联的所有视图。
现在我正在尝试实施pundit gem,以便在每个controller中设置权限。
尝试登陆localhost:3000/items时出现以下错误:unable to find policy of nil Pundit::NotDefinedError in ItemsController#index
这就是我在items_controller中尝试做的事情:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize @item
@items = Item.all
end
def show
authorize @item
@comments = Comment.where(item_id: @item).order("created_at DESC")
@items = Item.find(params[:id])
end
def new
authorize @item
@item = Item.new
@categories = Category.order(:name)
end
def edit
authorize @item
@categories = Category.order(:name)
end
def create
authorize @item
@item = Item.new(item_params)
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
authorize @item
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
authorize @item
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = Item.find(params[:id])
end
end
application_controller.rb
class ApplicationController < ActionController::Base
include Pundit
protect_from_forgery prepend: true
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
def pundit_user
CurrentContext.new(current_seller, current_admin, current_viewer)
end
private
def user_not_authorized(exception)
policy_name = exception.policy.class.to_s.underscore
flash[:warning] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
redirect_to(request.referrer || root_path)
end
end
模型/ current_context.rb
class CurrentContext
attr_reader :seller, :admin, :viewer
def initialize(seller, admin, viewer)
@seller = seller
@admin = admin
@viewer = viewer
end
end
政策/ application_policy.rb
class ApplicationPolicy
attr_reader :seller, :record, :admin, :viewer
def initialize(context, record)
raise Pundit::NotAuthorizedError, "must be logged in" unless context
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@record = record
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :seller, :admin, :viewer, :scope
def initialize(context, scope)
@seller = context.seller
@admin = context.admin
@viewer = context.viewer
@scope = scope
end
def resolve
scope
end
end
end
政策/ item_policy.rb
我在这里尝试的是...管理员拥有完全访问权限,卖家可以创建,编辑,更新,删除他自己的内容。
class ItemPolicy < ApplicationPolicy
attr_reader :item
def initialize(user, item)
super(user, item)
@user = user
@item = record
end
def update?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def index?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def show?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def create?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def new?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def edit?
@user.is_a?(Admin) || @item.try(:user) == @user
end
def destroy?
@user.is_a?(Admin) || @item.try(:user) == @user
end
end
答案 0 :(得分:1)
检查您的控制器是否有 @item nil的索引操作。 像这样更改索引操作:
def index
authorize Item
@items = Item.all
end
答案 1 :(得分:1)
在Pundit中,您传递该类以授权与特定实例不对应的操作:
def index
authorize Item
@items = policy_scope(Item)
end
还养成使用policy_scope的习惯 - 它可让您控制政策中可用的记录。
您在使用@item实例变量之前,在#new中声明它并创建:
def new
@item = Item.new(item_params)
authorize @item
end
您也可以通过授权set_item回调来显着干扰控制器:
class ItemsController < ApplicationController
before_action :set_item, only: [:show, :edit, :update, :destroy]
def index
authorize Item
@items = policy_scope(Item)
end
def show
# Use the association
@comments = @item.comments.order("created_at DESC")
end
def new
@item = Item.new
authorize @item
@categories = Category.order(:name)
end
def edit
@categories = Category.order(:name)
end
def create
@item = Item.new(item_params)
authorize @item
respond_to do |format|
if @item.save
format.html { redirect_to @item, notice: 'Item was successfully created.' }
format.json { render :show, status: :created, location: @item }
else
format.html { render :new }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def update
respond_to do |format|
if @item.update(item_params)
format.html { redirect_to @item, notice: 'Item was successfully updated.' }
format.json { render :show, status: :ok, location: @item }
else
format.html { render :edit }
format.json { render json: @item.errors, status: :unprocessable_entity }
end
end
end
def destroy
@item.destroy
respond_to do |format|
format.html { redirect_to items_url, notice: 'Item was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def set_item
@item = authorize( Item.find(params[:id]) )
# Or if you are using an older version of Pundit
# @item = Item.find(params[:id])
# authorize @item
end
end