2015-09-09 82 views
0

在我的Rails應用4,有5種型號:軌道4,5: 「權威人士:: NotAuthorizedError」

class User < ActiveRecord::Base 
    has_many :administrations 
    has_many :calendars, through: :administrations 
end 

class Calendar < ActiveRecord::Base 
    has_many :administrations 
    has_many :users, through: :administrations 
    has_many :posts 
end 

class Administration < ActiveRecord::Base 
    belongs_to :user 
    belongs_to :calendar 
end 

class Post < ActiveRecord::Base 
    belongs_to :calendar 
end 

class Comment < ActiveRecord::Base 
    belongs_to :post 
    belongs_to :user 
end 

我實現與設計(所以我們有機會獲得current_user)認證。

現在,我試圖通過權威人士(第一個計時器)實施授權。

documentation後,我安裝了寶石,並運行了rails g pundit:install生成器。

然後,我創建了一個CalendarPolicy,如下所示:

class CalendarPolicy < ApplicationPolicy 

    attr_reader :user, :calendar 

    def initialize(user, calendar) 
    @user = user 
    @calendar = calendar 
    end 

    def index? 
    user.owner? || user.editor? || user.viewer? 
    end 

    def show? 
    user.owner? || user.editor? || user.viewer? 
    end 

    def update? 
    user.owner? || user.editor? 
    end 

    def edit? 
    user.owner? || user.editor? 
    end 

    def destroy? 
    user.owner? 
    end 

end 

我也更新了我的User模型下面的方法:

def owner? 
    Administration.find_by(user_id: params[:user_id], calendar_id: params[:calendar_id]).role == "Owner" 
end 

def editor? 
    Administration.find_by(user_id: params[:user_id], calendar_id: params[:calendar_id]).role == "Editor" 
end 

def viewer? 
    Administration.find_by(user_id: params[:user_id], calendar_id: params[:calendar_id]).role == "Viewer" 
end 

我更新了我的CalendarsController行動與authorize @calendar,如下所示:

def index 
    @user = current_user 
    @calendars = @user.calendars.all 
    end 

    # GET /calendars/1 
    # GET /calendars/1.json 
    def show 
    @user = current_user 
    @calendar = @user.calendars.find(params[:id]) 
    authorize @calendar 
    end 

    # GET /calendars/new 
    def new 
    @user = current_user 
    @calendar = @user.calendars.new 
    authorize @calendar 
    end 

    # GET /calendars/1/edit 
    def edit 
    @user = current_user 
    authorize @calendar 
    end 

    # POST /calendars 
    # POST /calendars.json 
def create 
    @user = current_user 
    @calendar = @user.calendars.create(calendar_params) 
    authorize @calendar 
    respond_to do |format| 
    if @calendar.save 
     current_user.set_default_role(@calendar.id, 'Owner') 
     format.html { redirect_to calendar_path(@calendar), notice: 'Calendar was successfully created.' } 
     format.json { render :show, status: :created, location: @calendar } 
    else 
     format.html { render :new } 
     format.json { render json: @calendar.errors, status: :unprocessable_entity } 
    end 
    end 
end 

    # PATCH/PUT /calendars/1 
    # PATCH/PUT /calendars/1.json 
    def update 
    @user = current_user 
    @calendar = Calendar.find(params[:id]) 
    authorize @calendar 
    respond_to do |format| 
     if @calendar.update(calendar_params) 
     format.html { redirect_to calendar_path(@calendar), notice: 'Calendar was successfully updated.' } 
     format.json { render :show, status: :ok, location: @calendar } 
     else 
     format.html { render :edit } 
     format.json { render json: @calendar.errors, status: :unprocessable_entity } 
     end 
    end 
    end 

    # DELETE /calendars/1 
    # DELETE /calendars/1.json 
    def destroy 
    @user = current_user 
    @calendar.destroy 
    authorize @calendar 
    respond_to do |format| 
     format.html { redirect_to calendars_url, notice: 'Calendar was successfully destroyed.' } 
     format.json { head :no_content } 
    end 
    end 

而我在我的ApplicationController中包含after_action :verify_authorized, :except => :index

現在,當我登錄,我可以訪問http://localhost:3000/calendars/但是當我試圖訪問http://localhost:3000/calendars/new,我得到以下錯誤:

Pundit::NotAuthorizedError in CalendarsController#new 
not allowed to new? this #<Calendar id: nil, name: nil, created_at: nil, updated_at: nil> 

    @user = current_user 
    @calendar = @user.calendars.new 
    authorize @calendar 
end 

很顯然,我一定是做錯了什麼。

問題:我找不出什麼。

有什麼想法?

回答

0

的問題是,我沒有定義在CalendarPolicy一個create行動。

由於CalendarPolicy繼承自ApplicationPolicy - CalendarPolicy < ApplicationPolicy - 並且默認情況下,ApplicationPolicy中的create操作設置爲false,所以出現錯誤。

只需添加以下代碼CalendarPolicy解決了這一問題:

def create? 
    true 
end 

特別提示:沒有必要以新的行動ApplicationPolicy添加到CalendarPolicy,因爲我們已經有了下面的代碼:

def new? 
    create? 
end 
1

除非通過模型,否則您無法訪問模型中的參數。您應該將日曆傳遞給模型實例功能,並且您已經有權訪問該用戶。

user.editor?(calendar) 

def editor?(calendar) 
    Administration.find_by(user_id: self.id, calendar_id: calendar.id).role == "Editor" 
end 
+0

好的,所以我根據你的答案更新了'User'模型和'CalendarPolicy'中的所有3個方法。但我仍然收到相同的錯誤信息。任何其他想法? –

+1

你使用pry還是調試器?我會將一個放在控制器中,一個放在授權方法中,另一個放在模型中。然後確保所有變量都按照預期設置。 – penner

+0

我不使用Pry也不使用調試器。我在開發和測試中安裝了Byebug。 「你是什麼意思?」我將一個放在控制器中,一個放在授權方法中,另一個放在模型中。「? –