Rails 5.1 路由:动态 :action 参数 [英] Rails 5.1 Routes: dynamic :action parameters

问题描述

Rails 5.0.0.beta4 对包含动态 :action 和 :controller 段的路由引入了弃用警告:

Rails 5.0.0.beta4 introduced a deprecation warning on routes containing dynamic :action and :controller segments:

DEPRECATION WARNING: Using a dynamic :action segment in a route is deprecated and will be removed in Rails 5.1. 

来自此 PR 的提交消息 指出:

允许通过路径指定 :controller 和 :action 值在 config/routes.rb 中一直是许多问题的根本原因在导致安全发布的 Rails 中.有鉴于此最好将控制器和动作明确列入白名单而不是试图将坏"值列入黑名单或清理.

Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.

您将如何将一组操作参数列入白名单"?我的路由文件中有以下内容，这些内容引发了弃用警告:

How would you go about "whitelisting" a set of action parameters? I have the following in my routes file, which are raising the deprecation warning:

namespace :integrations do
  get 'stripe(/:action)', controller: 'stripe', as: "stripe"
  post 'stripe/deactivate', controller: 'stripe', action: 'deactivate'
end

推荐答案

虽然有点麻烦，但最好的方法似乎是明确定义路由:

Though it's a bit cumbersome, the best approach seems to be to explicitly define the routes:

namespace :integrations do
  namespace 'stripe' do
    %w(auth webhook activate).each do |action|
      get action, action: action
    end
  end
  post 'stripe/deactivate', controller: 'stripe', action: 'deactivate'
end

这篇关于Rails 5.1 路由:动态 :action 参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！