使用 Pundit 的各种角色的索引视图限制 [英] Index View Restrictions for Various Roles using Pundit

问题描述

我正在尝试为三个角色创建一个节目视图.管理员、超级用户和用户.管理员应该看到所有用户.超级用户应该只看到用户，而用户不应该看到任何人.当我在 else user.super_user? 的解析中使用注释掉的策略方法时，会给我 unsupported: TrueClass 错误.欢迎提出任何建议.

I'm trying to create a show view for three roles. Admin, super user, and user. An admin should see all of the users. A super user should see only users and a user should not see anyone. When I used the commented out policy method in the resolve for else user.super_user? would give me unsupported: TrueClass error. Any suggestions are welcomed.

用户控制器

def index
  @users = policy_scope(User)
  authorize User
end

用户政策

class UserPolicy
 attr_reader :current_user, :model

 def initialize(current_user, model)
   @current_user = current_user
   @user = model
 end

 class Scope
   attr_reader :user, :scope

   def initialize(user, scope)
      @user = user
      @scope = scope
   end

   def resolve
     if user.admin?
       scope.all
     else user.super_user?
       scope.where(user.role = 'user' )
       # scope.where(user.role != 'admin') [this would not work in the views, but it would work in rails c]
       end
     end
   end

  def index?
    @current_user.admin? or @current_user.super_user?
  end
end

更新 用户控制器

class UsersController < ApplicationController
  before_filter :authenticate_user!
  after_action :verify_authorized

  def index
    @users = policy_scope(User)
  end
end

<小时>

正确答案

我想出了我需要做什么.我错误地调用了这个角色.更新范围如下.

I figured out what I needed to do. I was calling the role incorrectly. Updated scope below.

class UserPolicy
  attr_reader :current_user, :model

  def initialize(current_user, model)
    @current_user = current_user
    @user = model
  end

  class Scope
    attr_reader :user, :scope

    def initialize(user, scope)
       @user = user
       @scope = scope
    end

    def resolve
      if user.admin?
        scope.all
      else user.super_user?
        scope.where(role: 'user' )
      end
    end
  end

  def index?
    @current_user.admin? or @current_user.super_user?
  end

控制器

class UsersController < ApplicationController
  before_filter :authenticate_user!
  after_action :verify_authorized

  def index
    @users = policy_scope(User)
    authorize @users
  end

推荐答案

你的解析方法应该使用 elsif:

Your resolve method should use elsif:

# Safer option
def resolve
   if user.admin?
     scope.all
   elsif user.super_user?
     scope.where(user.role = 'user' )
   else
     scope.none
   end
end

或者根本不检查超级用户，只依赖在使用结果之前检查用户的授权:

or not check for the super user at all and just depend on checking the authorization of the user before the result is used:

# This option is the same as the code you added to your question
# but doesn't include the unnecessary check
def resolve
   if user.admin?
     scope.all
   else
     scope.where(user.role = 'user' )
   end
end

更新以处理不是管理员或超级用户的情况

updated to deal with the case of not being an admin or super user

这篇关于使用 Pundit 的各种角色的索引视图限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！