Rolify的目的是什么? [英] What is the purpose of Rolify?
问题描述
我正在使用rolify,并且刚刚意识到我并没有真正利用它的全部潜力.
Hi I'm using rolify and have just realized that I'm not actually taking advantage of it's full potential.
目前,我正在执行控制器中的操作,例如在current_user.has_role? :whatever_role
时重新路由用户,并允许用户扮演其他角色...
At present I am doing things in my controller like re-routing users if current_user.has_role? :whatever_role
, and allowing users if they have whatever other role...
有人问了有关rolify的stackoverflow问题,当我要回答它时,我意识到我做错了.
Someone asked a question on stackoverflow about rolify and when I got to trying to answer it, I realized that I'm doing it wrong.
现在,这是我开始困惑的地方...在能力.rb里面,我有:
Now, here is where my confusion starts... Inside of ability.rb I have:
user ||= User.new # guest user (not logged in)
if user.has_role? :consumer
can :manage, Review
else
can :read, Review
end
现在假设我将使用者角色添加到用户:
Now let's say I add the consumer role to a user:
x=User.last
x.add_role :consumer
# => #<Role id: 10, name: "consumer", resource_id: nil, resource_type: nil, created_at: "2013-04-18 23:00:46", updated_at: "2013-04-18 23:00:46">
对,因此已创建角色.我可以这样做:
Right, so the role is created. I can check this by doing:
x.has_role? :consumer
=> true
现在,我希望这可以为评论提供管理功能...
Now I would expect this to give management ability for reviews...
x.has_role? :consumer, Review
=> true
但不适用于其他型号...在这里我尝试产品
but not for other models... here I try products
x.has_role? :consumer, Product
=> true
此外,当我查看资源角色查询"并尝试查询已应用角色的评论时,我发现没有已应用角色:
Further, when I look at "resource roles querying" and try to query the applied roles for reviews I find no applied roles:
Review.first.applied_roles
=> []
有人可以向我解释讽刺吗?谢谢
Can someone please explain rolify to me. Thanks
推荐答案
我的回答,来自此reddit帖子:
身份验证正在建立他们声称的身份User
.
Authentication is establishing a User
is who they claim to be.
授权正在确定User
在确定其身份之后可以执行给定的操作,无论是读取还是写入.
Authorization is establishing that a User
can perform a given action, be it reading or writing, after they've established their identity.
角色只是跨用户的授权的常见模式:该User
可以像这样被授权 ,而User
可以是授权的像这样.
Roles are just common patterns of authorization across users: this User
can be authorized as such, that User
can be authorized like this instead.
您在这里缺少的成分是 Permissions :已建立的Role
与某些控制器动作之间的关系.
The ingredient you're missing here is Permissions: a relationship between an established Role
and some controller action.
Roles
本身不保证User
可以执行的操作.请记住,授权都是关于行动的. Roles
概括您要处理的User
类型.它们的存在使您不必在每个User
中查询庞大的Permissions
洗衣清单.他们声明:此User
是Role
!当然,他们有Permission
来做到这一点!
Roles
themselves make no promises about what action a User
can perform. And remember--authorization is all about actions. Roles
generalize what kind of User
you're dealing with. They exist to keep you from having to query every User
for a giant laundry list of Permissions
. They declare: this User
is a Role
! Of course they have Permission
to do that!
Permission
的类型很多.如果希望您具有足够的授权 Users
能够编辑它们,并且可以将它们与Roles
一起存储,则可以将它们存储在数据库中.或者,如果您的User's
Roles
具有足够的静态性,则可以使用Ruby代码预先管理Permissions
:
There are many types of Permission
. You can store them in a database if you want your sufficiently authorized Users
to be able to edit them, along with your Roles
if those too ought to be configurable. Or, if your User's
Roles
are sufficiently static, you can manage Permissions
in advance with Ruby code:
-
当我想拥有可配置的
Roles
和Permissions
时,即对于要在合同完成时移交给某人的客户端应用程序,我用拥有自己的自定义模型,然后在我的ApplicationController
中添加一个before_filter :authorize
钩子,并在其上编写一个authorize
方法,该方法知道如何实现这些期望,或者为那些坚持手动输入url的用户提供403页他们希望将actions
暴露给他们本不应访问的事物.
When I want to have configurable
Roles
andPermissions
, i.e. for a client application you're handing off to someone at completion of contract, I implement aUser :has_many Roles
and aRole :has_many Permissions
with my own custom models, and then add abefore_filter :authorize
hook into myApplicationController
, and write anauthorize
method on it that knows how to martial these expectations, or render a 403 page for those people who insist upon manually entering urls to things they hope exposeactions
to things they oughtn't have access to.
当我只想配置Roles
时,我使用 Ryan Bates的CanCan gem .
When I want to just have configurable Roles
, I use Ryan Bates' CanCan gem.
当我想要预定的Roles
和Permissions
时,我使用 Rolify 结合内森·朗(Nathan Long)的权威,可以通过Authorizer类获得令人愉悦的基于类的Permissions
. p>
When I want to have predetermined Roles
and Permissions
, I use Rolify in conjunction with Nathan Long's Authority, to get delightfully flexible Class-based Permissions
via Authorizer classes.
Roles
和Permissions
都可以基于类,也可以基于实例,这取决于您的用例.可以说,利用刚刚发现的rolify
的能力,可以决定Users
仅在某些基于实例的情况下可以充当Role
.或者,如果User
的常规Roles
试图执行的 对象是某种类型的对象,则只能执行 .
Both Roles
and Permissions
can be either class-based or instance-based, depending on your use-case. You can, say, with the abilities of rolify
you've just discovered, decide that Users
may only act as a Role
in certain, instance-based circumstances. Or, general Roles
of User
may only be able to execute an action given the object they are trying to action is of a certain type.
假设采用博客应用程序,按照公式探索这些排列
To explore the permutation of these, assuming a blog application, following the formula
一个/c Role
class/instance
的User
可以action
一个/an/all/any/that(class/instance
)Permission
:
a User
who is a/an Role
class/instance
can action
a/an/all/any/that (class/instance
) Permission
:
-
Role
类和Permission
类:
作为Admin
的User
可以delete
任何Post
.
Role
类和Permission
实例:
作为Admin
的User
可以edit
所有Posts that they approved to be published
如果已发布的帖子具有指向User
id的approved_by
字段,则将更容易. (使用状态机 宝石针对这种情况.
This would be easier if published posts had an approved_by
field pointing to a User
id. (Use a state machine gem for this sort of situation.
Role
实例和Permission
类:
an Author of a Post
的User
可以在任何Post
请注意,这种情况很少见,这就是为什么我上面没有提到可以处理这种情况的原因,除了可能具有同时处理诸如Rolify
和Authority
之类的预定情况的能力之外;或者,如果您必须将此决定传递给客户,则可以使用您自己的自定义解决方案.
Note that this sort of situation is rare, which is why there are no gems I've mentioned above to handle this situation, except for perhaps the ability to manage predetermined circumstances like Rolify
and Authority
in conjunction; or, if you must pass this decision on to your client, your own custom solution.
Role
实例和Permission
实例:
an Author of a Post
的User
可以edit
那个Post
.
TL; DR:
-
Rolify
仅用于角色:将Users
按Permission
分组:访问控制器操作.您尚未决定如何管理Permissions
.
Rolify
is just for roles: groupingUsers
byPermission
: access to a controller action. You have yet to decide how you are going to managePermissions
.
我希望这有助于您了解Rolify
在 authentication 和 authorization 的宏伟计划中的位置!
I hope this helps your understanding of Rolify
's position in the grand scheme of authentication and authorization!
这篇关于Rolify的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!