管理员用户的Rails 4 Mass Assignment白名单参数 [英] Rails 4 Mass Assignment Whitelisting Parameters for Admin User

问题描述

我一直在四处寻找并尝试如何使用Rails 4进行大规模分配.我知道这个问题已经被打死了，但是从我的搜索中，我只遇到需要protected_attributes的答案gem和attr_accessible.现在我不确定这是否仍然是行业标准，所以我想问一问.

I've been looking around and trying to see how I would handle mass-assignment with Rails 4. I know this question has been beaten to death, but from my search, I've only come across answers that require the protected_attributes gem and attr_accessible. Now I'm not sure if that is still the industry standard on this, so I wanted to ask.

我正在使用Rails 4.0.1，并且试图弄清楚如何将特定的参数更新限制为仅管理员帐户.

I'm using Rails 4.0.1 and I am trying to figure out how I can limit specific parameter updates to admin accounts only.

以下是参数: :title，:summary，:content，:status

Here are the parameters: :title, :summary, :content, :status

现在，当用户创建帖子时，他们只能更新以下属性: :title，:summary，:content

Now when a user creates a post, they can only update the following attributes: :title, :summary, :content

但是，如果管理员更新了帖子，则他们可以更新 :title，:summary，:content AND:status

However, if an admin updates the post, they are able to update :title, :summary, :content AND :status

post_controller.rb

  def create
    @post = Post.new(post_params)
    @post.status = 'pending'

    respond_to do |format|
      if @post.save
        PostMailer.new_post(@post).deliver
        format.html { redirect_to @post, notice: 'Post was successfully submitted.' }
        format.json { render action: 'show', status: :created, location: @post }
      else
        format.html { render action: 'new' }
        format.json { render json: @post.errors, status: :unprocessable_entity }
      end
    end
  end

  def update
    @categories = Category.all    
    respond_to do |format|
      @post.slug = nil
      if params[:post][:featured]
        @image = Imgurruby::Imgur.new('20e2a9ef8542b15873a0dfa7502df0b5')
        @image.upload(params[:post][:featured])
        params[:post][:featured] = @image.url.to_s
      end      
      if @post.update(post_params)
        expire_fragment(@post)
        @post.friendly_id
        format.html { redirect_to @post, notice: 'Post was successfully updated.' }
        format.json { head :no_content }
      else
        format.html { render action: 'edit' }
        format.json { render json: @post.errors, status: :unprocessable_entity }
      end
    end
  end

  def post_params
    params.require(:post).permit(:title, :summary, :category, :tags, :content, :user_id, :category_id, :slug, :featured, :views)
  end

我认为最好的方法是在post_params方法中使用运算符来检查用户是否是管理员，如果允许，则允许使用不同的参数集吗?

Would I be right in assuming that the best way would be to use an operator in the post_params method to check if the user is an admin, and if so, permit a different set of parameters?

推荐答案

当然，您可以为不同的用户或不同的操作使用不同的参数集.你会做类似的事情:

of course, you can use different sets of parameters for different users or for different actions. you would do something like:

def update
  if user.is_a? Admin
    @post.update(post_params_admin)
   else
    @post.update(post_params_user)
  end

end

def post_params_user
   params.require(:post).permit(:title, :summary, :category, :content)
end

def post_params_admin
   params.require(:post).permit(:title, :summary, :category, :tags, :content, :user_id, :category_id, :slug, :featured, :views)
end

这篇关于管理员用户的Rails 4 Mass Assignment白名单参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！