Rails 4 设计强参数管理模型 [英] Rails 4 Devise Strong Parameters Admin Model

问题描述

我使用 devise 创建了一个用户和管理员模型.我在 app/controllers/application_controller.rb 文件

I have made a user and admin model using devise. I have used strong parameters in the app/controllers/application_controller.rb file

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email, :password, :password_confirmation, :remember_me) }
    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:login, :password, :remember_me) }
  end

end

如何将管理员模型列入白名单?

How do I whitelist the admin model?

devise_parameter_sanitizer.for(:sign_in) { |a| a.permit(:login, :password, :remember_me) }

另外，我如何将管理员 sign_up 列入白名单，以便不会向其中传递任何变量?我的猜测是

Also how do I whitelist the admin sign_up so that no variables may be passed into it? My guess is

devise_parameter_sanitizer.for(:sign_up) { |a| a.permit()}

UPDATE

我想编辑我的问题.

我的问题是如何让管理员模型自动将我的管理员注册页面列入黑名单?如果我什么都不留下，那么我仍然可以通过 "admins/sign_up" 进行注册.当然我可以删除 "app/models/admin.rb" 中的 :regisitrations，但我想拒绝命令行注册

My question is how do I get the admin model to automatically blacklist my admin sign up page? If I simply leave nothing then I can still sign up through the "admins/sign_up". Sure I can delete the :regisitrations within the "app/models/admin.rb", but I would like to deny command line sign ups

--使用作用域视图并为管理员和用户模型专门定义每个视图是否明智?--

--Would it be wise to use scoped views and specifically define each view for the admin and user models?--

推荐答案

如果您为用户和管理员设置了单独的控制器，请尝试以下操作:

If you have separate controllers for users and admins then try something like this:

def configure_permitted_parameters
  if params[:controller] == "user"
    devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email, :password, :password_confirmation, :remember_me) }
    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:login, :password, :remember_me) }
  else
    devise_parameter_sanitizer.for(:sign_in) { |a| a.permit(:login, :password, :remember_me) }
    devise_parameter_sanitizer.for(:sign_up) { |a| a.permit()}

还有另一种方法，只为用户和管理员创建一个控制器，名为 registrations_controller.rb，在用户表中有一个名为 is_admin 的字段，并仅在他/她是管理员时为用户设置它.在您的seeds.rb 文件中创建一个种子以使您的管理员像这样:

and there's another approach to it as well, create only one controller for both users and admin, named registrations_controller.rb, have a field in your users table named is_admin and set it for a user only if he/she is a admin. Create a seed to make your admins like this in your seeds.rb file:

admin_user = User.new(email: "abc@xyz.com", password: "123", password_confirmation: "123", is_admin: "true" )
admin_user.skip_confirmation!
admin_user.save

这篇关于Rails 4 设计强参数管理模型的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！