bav*_*ten 4 ruby ruby-on-rails ruby-on-rails-4 pundit
我有2个控制器,1个用户,1个用于管理员.
控制器/ articles_controller.rb
class ArticlesController < ActionController::Base
...
def show
@article = Article.find(parmas[:id])
authorize @article
end
...
end
控制器/管理/ articles_controller.rb
class Admin::ArticlesController < AdminController
...
def show
@article = Article.find(parmas[:id])
authorize @article
end
...
end
我有2个文件策略策略/ article_policy.rb
class ArticlePolicy
extend ActiveSupport::Autoload
autoload :Admin
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def show?
# allow show for every user.
true
end
end
和一个文件policy/admin/article_policy.rb
class Admin::ArticlePolicy
attr_reader :user, :record
def initialize(user, record)
@user = user
@record = record
end
def show?
# only show if use have role manager
user.manager?
end
end
但当我使用帐户用户在/ admin/articles/1 /上显示文章时.它显示正常,应该是"访问被拒绝".
如何解决这个问题?(我使用gem pundit 1.10).
小智 10
使用authorize方法将名称空间作为参数传递.
class ArticlesController < ActionController::Base
...
def show
@article = Article.find(parmas[:id])
authorize [:admin, @article]
end
...
end
| 归档时间: |
|
| 查看次数: |
1705 次 |
| 最近记录: |