Rolify的目的是什么? [英] What is the purpose of Rolify?

问题描述

我正在使用rolify，并且刚刚意识到我并没有真正利用它的全部潜力.

Hi I'm using rolify and have just realized that I'm not actually taking advantage of it's full potential.

目前，我正在执行控制器中的操作，例如在current_user.has_role? :whatever_role时重新路由用户，并允许用户扮演其他角色...

At present I am doing things in my controller like re-routing users if current_user.has_role? :whatever_role, and allowing users if they have whatever other role...

有人问了有关rolify的stackoverflow问题，当我要回答它时，我意识到我做错了.

Someone asked a question on stackoverflow about rolify and when I got to trying to answer it, I realized that I'm doing it wrong.

现在，这是我开始困惑的地方...在能力.rb里面，我有:

Now, here is where my confusion starts... Inside of ability.rb I have:

user ||= User.new # guest user (not logged in)
if user.has_role? :consumer
  can :manage, Review
else
  can :read, Review
end

现在假设我将使用者角色添加到用户:

Now let's say I add the consumer role to a user:

x=User.last
x.add_role :consumer
# => #<Role id: 10, name: "consumer", resource_id: nil, resource_type: nil, created_at: "2013-04-18 23:00:46", updated_at: "2013-04-18 23:00:46"> 

对，因此已创建角色.我可以这样做:

Right, so the role is created. I can check this by doing:

x.has_role? :consumer
=> true

现在，我希望这可以为评论提供管理功能...

Now I would expect this to give management ability for reviews...

x.has_role? :consumer, Review
=> true

但不适用于其他型号...在这里我尝试产品

but not for other models... here I try products

x.has_role? :consumer, Product
=> true

此外，当我查看资源角色查询"并尝试查询已应用角色的评论时，我发现没有已应用角色:

Further, when I look at "resource roles querying" and try to query the applied roles for reviews I find no applied roles:

Review.first.applied_roles
=> []

有人可以向我解释讽刺吗?谢谢

Can someone please explain rolify to me. Thanks

推荐答案

我的回答，来自此reddit帖子:

身份验证正在建立他们声称的身份User.

Authentication is establishing a User is who they claim to be.

授权正在确定User在确定其身份之后可以执行给定的操作，无论是读取还是写入.

Authorization is establishing that a User can perform a given action, be it reading or writing, after they've established their identity.

角色只是跨用户的授权的常见模式:该User可以像这样被授权 ，而User可以是授权的像这样.

Roles are just common patterns of authorization across users: this User can be authorized as such, that User can be authorized like this instead.

您在这里缺少的成分是 Permissions :已建立的Role与某些控制器动作之间的关系.

The ingredient you're missing here is Permissions: a relationship between an established Role and some controller action.

Roles本身不保证User可以执行的操作.请记住，授权都是关于行动的. Roles概括您要处理的User类型.它们的存在使您不必在每个User中查询庞大的Permissions洗衣清单.他们声明:此User是Role！当然，他们有Permission来做到这一点！

Roles themselves make no promises about what action a User can perform. And remember--authorization is all about actions. Roles generalize what kind of User you're dealing with. They exist to keep you from having to query every User for a giant laundry list of Permissions. They declare: this User is a Role! Of course they have Permission to do that!

Permission的类型很多.如果希望您具有足够的授权 Users能够编辑它们，并且可以将它们与Roles一起存储，则可以将它们存储在数据库中.或者，如果您的User's Roles具有足够的静态性，则可以使用Ruby代码预先管理Permissions:

There are many types of Permission. You can store them in a database if you want your sufficiently authorized Users to be able to edit them, along with your Roles if those too ought to be configurable. Or, if your User's Roles are sufficiently static, you can manage Permissions in advance with Ruby code:

• 当我想拥有可配置的Roles和Permissions时，即对于要在合同完成时移交给某人的客户端应用程序，我用拥有自己的自定义模型，然后在我的ApplicationController中添加一个before_filter :authorize钩子，并在其上编写一个authorize方法，该方法知道如何实现这些期望，或者为那些坚持手动输入url的用户提供403页他们希望将actions暴露给他们本不应访问的事物.

• When I want to have configurable Roles and Permissions, i.e. for a client application you're handing off to someone at completion of contract, I implement a User :has_many Roles and a Role :has_many Permissions with my own custom models, and then add a before_filter :authorize hook into my ApplicationController, and write an authorize method on it that knows how to martial these expectations, or render a 403 page for those people who insist upon manually entering urls to things they hope expose actions to things they oughtn't have access to.

当我只想配置Roles时，我使用 Ryan Bates的CanCan gem .

When I want to just have configurable Roles, I use Ryan Bates' CanCan gem.

当我想要预定的Roles和Permissions时，我使用 Rolify 结合内森·朗(Nathan Long)的权威，可以通过Authorizer类获得令人愉悦的基于类的Permissions. p>

When I want to have predetermined Roles and Permissions, I use Rolify in conjunction with Nathan Long's Authority, to get delightfully flexible Class-based Permissions via Authorizer classes.

Roles和Permissions都可以基于类，也可以基于实例，这取决于您的用例.可以说，利用刚刚发现的rolify的能力，可以决定Users仅在某些基于实例的情况下可以充当Role.或者，如果User的常规Roles试图执行的 对象是某种类型的对象，则只能执行 .

Both Roles and Permissions can be either class-based or instance-based, depending on your use-case. You can, say, with the abilities of rolify you've just discovered, decide that Users may only act as a Role in certain, instance-based circumstances. Or, general Roles of User may only be able to execute an action given the object they are trying to action is of a certain type.

假设采用博客应用程序，按照公式探索这些排列

To explore the permutation of these, assuming a blog application, following the formula

一个/c Role class/instance的User可以action一个/an/all/any/that(class/instance)Permission:

a User who is a/an Role class/instance can action a/an/all/any/that (class/instance) Permission:

• Role类和Permission类:

作为Admin的User可以delete任何Post.

Role类和Permission实例:

作为Admin的User可以edit所有Posts that they approved to be published

如果已发布的帖子具有指向User id的approved_by字段，则将更容易. (使用状态机 宝石针对这种情况.

This would be easier if published posts had an approved_by field pointing to a User id. (Use a state machine gem for this sort of situation.

Role实例和Permission类:

an Author of a Post的User可以在任何Post

请注意，这种情况很少见，这就是为什么我上面没有提到可以处理这种情况的原因，除了可能具有同时处理诸如Rolify和Authority之类的预定情况的能力之外；或者，如果您必须将此决定传递给客户，则可以使用您自己的自定义解决方案.

Note that this sort of situation is rare, which is why there are no gems I've mentioned above to handle this situation, except for perhaps the ability to manage predetermined circumstances like Rolify and Authority in conjunction; or, if you must pass this decision on to your client, your own custom solution.

Role实例和Permission实例:

an Author of a Post的User可以edit那个Post.

TL; DR:

• Rolify仅用于角色:将Users按Permission分组:访问控制器操作.您尚未决定如何管理Permissions.

• Rolify is just for roles: grouping Users by Permission: access to a controller action. You have yet to decide how you are going to manage Permissions.

我希望这有助于您了解Rolify在 authentication 和 authorization 的宏伟计划中的位置！

I hope this helps your understanding of Rolify's position in the grand scheme of authentication and authorization!

这篇关于Rolify的目的是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！