我正在使用Devise Gem来验证用户身份。用户在应用程序中创建表单的答案,只有管理员应该能够查看结果以及填写表单的所有用户的索引。我有2个用户,其中admin属性设置为“true”,另一个为“false”(以前为“nil”)
只有admin属性设置为“true”的用户才能访问show和index视图。
当我只使用Devise中包含的authenticate_user!方法时,它正常工作,用户只能在登录时看到show和index页面。但是当我添加authenticate方法时允许管理员用户突然看到显示和索引页面,无论是否登录,每个用户都可以看到它们。我不明白为什么会出现这种情况,因为现在只有登录管理员用户应该能够看到这些页面,根据我所理解的代码中的逻辑。 current_user也是一种Devise Gem方法。
我的Formularios(表格)控制器中有以下代码:
class FormulariosController < ApplicationController
before_action :set_formulario, only: [:show, :edit, :update, :destroy]
before_action :authenticate, only: [:show, :index]
# GET /formularios
# GET /formularios.json
def index
@formularios = Formulario.all
end
.
.
.
.
.
private
def authenticate
authenticate_user! && current_user.admin?
end
# Use callbacks to share common setup or constraints between actions.
def set_formulario
@formulario = Formulario.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def formulario_params
params.require(:formulario).permit(:nombre, :fecha, :FdN, :direccion, :sexo, :email, :telefono, :movil, :profesion, :altura, :peso, :motivos, :especialistas, :dieta, :intolerancia, :detalles_1, :limites, :otro_1, :problema1, :p1, :p2, :p3, :problema2, :p4, :p5, :p6, :problema3, :p7, :p8, :p9, :problema4, :p10, :p11, :p12, :otro_2, :medicacion1, :m1, :m2, :m3, :m4, :m5, :m6, :medicacion2, :m7, :m8, :m9, :m10, :m11, :m12, :medicacion3, :m13, :m14, :m15, :m16, :m17, :m18, :otro_3, :suplemento1, :s1, :s2, :s3, :s4, :suplemento2, :s5, :s6, :s7, :s8, :suplemento3, :s9, :s10, :s11, :s12, :otro_4, :madre, :padre, :abuela_mat, :abuela_pat, :abuelo_mat, :abuelo_pat, :hermanos, :hermanas, :tios, :tias, :ninos, :sobrinos, :activa, :ejercicio1, :e1, :e2, :ejercicio2, :e3, :e4, :ejercicio3, :e5, :e6, :otro_5, :fumas1, :fumas2, :fumado, :alcol1, :alcol2, :alergia1, :alergia2, :habitos1, :habitos2, :habitos3, :habitos4, :galletas_tartas_bolleria, :leche, :huevos, :chocolates_dulces, :carne_roja, :carne_blanca, :pescado_blanco, :pezcado_azul, :carne_procesada, :pan, :te, :cafe, :refresco_lata, :agua, :verdura, :ensalada, :tick, :pecho, :dieta_sana, :motivacion, :desayuno1, :desayuno2, :desayuno3, :almuerzo, :almuerzo2, :almuerzo3, :cena1, :cena2, :cena3, :snacks1, :snacks2, :snacks3, :bebidas1, :bebidas2, :bebidas3)
end
end
create_table "users", force: :cascade do |t|
t.string "email", default: "", null: false
t.string "encrypted_password", default: "", null: false
t.string "reset_password_token"
t.datetime "reset_password_sent_at"
t.datetime "remember_created_at"
t.integer "sign_in_count", default: 0, null: false
t.datetime "current_sign_in_at"
t.datetime "last_sign_in_at"
t.string "current_sign_in_ip"
t.string "last_sign_in_ip"
t.datetime "created_at", null: false
t.datetime "updated_at", null: false
t.boolean "admin"
t.index ["email"], name: "index_users_on_email", unique: true
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
end
编辑1:User.rb
class User < ApplicationRecord
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
end
答案 0 :(得分:2)
看起来你认证方法除了需要用户身份验证之外什么都不做。
你可能更喜欢这样的东西:
class FormulariosController < ApplicationController
before_action :set_formulario, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!, only: [:show, :index]
before_action :authenticate_admin, only: [:show, :index]
# GET /formularios
# GET /formularios.json
def index
@formularios = Formulario.all
end
.
.
.
.
.
private
def authenticate_admin
unless current_user.admin?
redirect_to root_path
end
end
# Use callbacks to share common setup or constraints between actions.
def set_formulario
@formulario = Formulario.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def formulario_params
params.require(:formulario).permit(:nombre, :fecha, :FdN, :direccion, :sexo, :email, :telefono, :movil, :profesion, :altura, :peso, :motivos, :especialistas, :dieta, :intolerancia, :detalles_1, :limites, :otro_1, :problema1, :p1, :p2, :p3, :problema2, :p4, :p5, :p6, :problema3, :p7, :p8, :p9, :problema4, :p10, :p11, :p12, :otro_2, :medicacion1, :m1, :m2, :m3, :m4, :m5, :m6, :medicacion2, :m7, :m8, :m9, :m10, :m11, :m12, :medicacion3, :m13, :m14, :m15, :m16, :m17, :m18, :otro_3, :suplemento1, :s1, :s2, :s3, :s4, :suplemento2, :s5, :s6, :s7, :s8, :suplemento3, :s9, :s10, :s11, :s12, :otro_4, :madre, :padre, :abuela_mat, :abuela_pat, :abuelo_mat, :abuelo_pat, :hermanos, :hermanas, :tios, :tias, :ninos, :sobrinos, :activa, :ejercicio1, :e1, :e2, :ejercicio2, :e3, :e4, :ejercicio3, :e5, :e6, :otro_5, :fumas1, :fumas2, :fumado, :alcol1, :alcol2, :alergia1, :alergia2, :habitos1, :habitos2, :habitos3, :habitos4, :galletas_tartas_bolleria, :leche, :huevos, :chocolates_dulces, :carne_roja, :carne_blanca, :pescado_blanco, :pezcado_azul, :carne_procesada, :pan, :te, :cafe, :refresco_lata, :agua, :verdura, :ensalada, :tick, :pecho, :dieta_sana, :motivacion, :desayuno1, :desayuno2, :desayuno3, :almuerzo, :almuerzo2, :almuerzo3, :cena1, :cena2, :cena3, :snacks1, :snacks2, :snacks3, :bebidas1, :bebidas2, :bebidas3)
end
end
然后,如果用户不是管理员,则会将其重定向到应用程序的根路径以进行显示和索引操作。
修改
实际上我不太确定authenticate_user! && current_user.admin?正在做什么,因为它不是if else语句的一部分。肯定会需要用户身份验证,但我甚至不确定第二部分甚至会触发...如果不是错误。
(顺便说一下我还是Rails中的初学者所以我不熟悉各种Rails语法)