Rails:从 Ruby on Rails 的模型中访问 current_user [英] Rails: Access to current_user from within a model in Ruby on Rails
问题描述
我需要在 Ruby on Rails 应用程序中实现细粒度的访问控制.单个用户的权限保存在数据库表中,我认为最好让相应的资源(即模型的实例)决定是否允许某个用户读取或写入它.每次在控制器中做出这个决定肯定不会很枯燥.
问题是为了做到这一点,模型需要访问当前用户,调用类似 may_read?(current_user, attribute_name).但是,模型通常无法访问会话数据.
I need to implement fine-grained access control in a Ruby on Rails app. The permissions for individual users are saved in a database table and I thought that it would be best to let the respective resource (i.e. the instance of a model) decide whether a certain user is allowed to read from or write to it. Making this decision in the controller each time certainly wouldn’t be very DRY.
The problem is that in order to do this, the model needs access to the current user, to call something like may_read?(current_user, attribute_name). Models in general do not have access to session data, though.
有很多建议可以在当前线程中保存对当前用户的引用,例如在这篇博文.这肯定能解决问题.
There are quite some suggestions to save a reference to the current user in the current thread, e.g. in this blog post. This would certainly solve the problem.
邻近的 Google 结果建议我在 User 类中保存对当前用户的引用,我猜这是由某个应用程序不必同时容纳大量用户的人想到的.;)
Neighboring Google results advised me to save a reference to the current user in the User class though, which I guess was thought up by someone whose application does not have to accommodate a lot of users at once. ;)
长话短说,我觉得我希望从模型中访问当前用户(即会话数据)来自我做错了.
Long story short, I get the feeling that my wish to access the current user (i.e. session data) from within a model comes from me doing it wrong.
你能告诉我我哪里错了吗?
Can you tell me how I’m wrong?
推荐答案
我认为您将 current_user 排除在模型之外的直觉是正确的.
I'd say your instincts to keep current_user out of the model are correct.
像 Daniel 一样,我完全支持瘦控制器和胖模型,但也有明确的职责分工.控制器的目的是管理传入的请求和会话.模型应该能够回答用户 x 可以对这个对象做 y 吗?"这个问题,但是它引用 current_user 是没有意义的.如果你在控制台呢?如果是运行 cron 作业怎么办?
Like Daniel I'm all for skinny controllers and fat models, but there is also a clear division of responsibilities. The purpose of the controller is to manage the incoming request and session. The model should be able to answer the question "Can user x do y to this object?", but it's nonsensical for it to reference the current_user. What if you are in the console? What if it's a cron job running?
在模型中具有正确权限 API 的许多情况下,这可以通过适用于多个操作的一行 before_filters 来处理.但是,如果事情变得越来越复杂,您可能需要实现一个单独的层(可能在 lib/ 中)来封装更复杂的授权逻辑,以防止您的控制器变得臃肿,并防止您的模型变得过于臃肿与 Web 请求/响应周期紧密耦合.
In many cases with the right permissions API in the model, this can be handled with one-line before_filters that apply to several actions. However if things are getting more complex you may want to implement a separate layer (possibly in lib/) that encapsulates the more complex authorization logic to prevent your controller from becoming bloated, and prevent your model from becoming too tightly coupled to the web request/response cycle.
这篇关于Rails:从 Ruby on Rails 的模型中访问 current_user的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
