Question

我有几名控制人员,他们需要一个正确的用户来开展编辑/更新/编辑工作。实现以下目标所需要的铁路:

目前,每名控制员中都有我有以下法典:

class FooController < ApplicationController
  before_filter :correct_user, :only => [:edit, :update, :destroy]

  # normal controller code

  private

  def correct_user
    @foo = Foo.find params[:id]
    redirect_to some_path unless current_user == @foo.user
  end
end

我在3名控制人员中有类似的守则。我开始向这样的帮助者伸出援手:

module ApplicationHelper
  def correct_user( object, path )
    if object.respond_to? :user
      redirect_to path unless object.user == current_user
  end
end

但我很想知道,这是否是这样做的好办法。解决这一问题的公认方式是什么?

Thank you

http://www.ohchr.org。

这里正确的用户检查是因为我只想确保它能够向每个物体 make/del。

为了澄清,目标就象问题和员额。我不想使用像Can这样的东西,因为它为像这种情况这样简单的东西夸大了。

Answer 1

I really like using RyanB s CanCan, which allows you to both restrict access to actions based on the user, and centralize such authorization into basically a single file.

CanCan on GitHub: https://github.com/ryanb/cancan
Screencast explaining how to setup/use it: http://railscasts.com/episodes/192-authorization-with-cancan

EDIT

No problem. I hear you on CanCan - it takes a little while to get up and running on it, but it s designed to do exactly what you re asking - per object authorization.

Alternative: Another way to do this is move your authoriship/current_user check to the ApplicationController class, from which all of your other Controllers inherit (so they will get that code through inheritance - and you don t need to write the same code in multiple Controllers), and it would look something like...

class ApplicationController < ActionController::Base
  ...

  helper_method :correct_user

  private
    def correct_user( object, path )
      redirect_to path unless object.user == current_user
    end

end

Answer 2

您应:

def edit
  @foo = current_user.foos.find(params[:id])
end

这样,只有当目前的用户是<代码>的所有人时,才会如此。 Foo 他将能够看到。

友情链接