为什么`面向scope`-行动权威人士区别对待(尤其是`index`动作)? [英] Why are `scope`-oriented actions (particularly `index` actions) treated differently in Pundit?
问题描述
我就写 https://github.com/elabs/pundit#scopes
我是IM pression的的授权下的应该回答这个问题的您允许访问该资源?的,即真 / 假的答案。这是除了首页,其中,根据权威人士的文档,应该返回不同的所有行动的情况下的ActiveRecord ::关系的取决于谁是问。例如,管理的可获得 scope.all ,而普通用户的可获得范围。其中(:公布=>真)。
I am under the impression that authorization should answer the question Are you allowed access to this resource?, i.e. a true/false answer. This is the case with all actions except index, which, according to Pundit's docs, should return different ActiveRecord::Relation's depending on who is asking. For example, an admin gets scope.all, while a regular user gets scope.where(:published => true).
应用/政策/ post_policy.rb
class Scope < Struct.new(:user, :scope)
def resolve
if user.admin?
scope.all
else
scope.where(:published => true)
end
end
end
应用/控制器/ posts_controller.rb
def index
@posts = policy_scope(Post)
end
我的保留意见是,这是一个光滑的斜坡,不久我将增加presentation的范围(如 scope.all.order('created_at ASC')) - 它只是感觉怪怪的在授权策略的
My reservation is that this is a slippery slope, and soon I will be adding presentation to the scopes (e.g. scope.all.order('created_at ASC')) -- and it just feels weird doing so in an authorization policy.
当然,我可以移动,要控制器...
Of course I could move that to the controller...
def index
@post = policy_scope(post)
if user.admin?
@post = @post.order( 'created_at ASC' )
end
end
...但是是控制器的工作吗?我不认为这是正确的这样的调用添加到视图。因此,也许它应该是一个模型法?
...but is that the controller's job? And I don't think it would be right to add such a call to the view. So maybe it should be a model method?
你会怎么说的都是这样做的优点/缺点如下呢?
What would you say are the pros/cons of doing the following instead?
应用/控制器/ posts_controller.rb
这使得首页就像其他的方法,有一个呼叫批准,和一个呼叫模型方法。
This keeps index just like the other methods, with one call to authorize, and one call to a model method.
def index
authorize(Post)
@posts = Post.index(current_user)
end
应用/政策/ post_policy.rb
这只是给出了一个真/假答案。你的授权?是或否。
This simply gives a true/false answer. Are you authorized? Yes or no.
def index?
user.admin? || user.regular_user?
end
应用/型号/ post.rb
而在模型中,我们可以得到的梦幻色彩,因为我们喜欢。
And in the model we can get as fancy as we like.
def self.index(user)
if user.admin?
Post.all.order('created_at ASC')
else
Post.where(user_id: user.id)
end
end
思考?
推荐答案
我的授权的认识VS在权威人士范围如下:
My understanding of authorization vs scopes in Pundit is as follows:
授权:'?这是用户允许的时的行为(创建/更新/销毁)此资源
authorization: 'is this user allowed to act upon (create/update/destroy) this resource?'
范围:'?应该该用户能够查看(索引/显示)此资源
within scope : 'should this user be able to see (index/show) this resource?'
授权(授权@resource )委托给 permitted_attributes 在 ResourcePolicy 的答案。
Authorization (authorize @resource) defers to permitted_attributes in ResourcePolicy for the answer.
斯科普斯( policy_scope(资源))推迟到解析。
我相信背后权威人士的范围的理由是,应该在你的code只在一个位置,你定义谁应该可以访问哪些资源。
I believe the reasoning behind Pundit's scopes is that there should be only one location in your code where you define who should have access to what resources.
您可以,因为你所描述,在实现您的控制器或你的观点相同的行为。然而,把code为防止未经授权的访问的策略卫兵如果你碰巧适当忘记范围在你的控制器的方法之一。
You could, as you've described, implement the same behavior in your controllers or your views. However, putting the code into a Policy guards against unauthorized access should you happen to forget to scope appropriately in one of your controller methods.
我觉得 policy_scope的(),以限制的知名度,而其他结果的改进(例如排序),可以在控制器级别发生的方式。毫无疑问,很多在作怪个人preference,但是。
I think of policy_scope() as the way to restrict visibility, while other result refinements (e.g. sorting) can take place at the controller level. There's no doubt a lot of personal preference at play, however.
这篇关于为什么`面向scope`-行动权威人士区别对待(尤其是`index`动作)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
