使用Devise时如何构建验证路由？ [英] How to structure authenticated routes when using Devise?

问题描述

在我的问题如何当用户没有登录rails时，有根视图？最大答案是，我们可以使用认证的使路由只在有人通过身份验证后才可用。我有一个问题，我如何构建这个：

  Rails.application.routes.draw do 
 devise_for：用户
 
 
身份验证：用户执行
＃验证时允许对学生
资源的所有操作：主题
资源：学生
结束
 end 
 
＃当不仅允许读取学生
资源：科目做
资源：学生，只有：[：get] 
 end 
 
 roothome＃index
 end 
  

问题是我不想允许在上的任何未经身份验证的操作：主题如何阻止？

解决方案

如果要限制对主题的访问，您应该在控制器层（而不是路由）中执行此操作。使用 before_action：authenticate_user！将给出一个 401未授权的响应并重定向到登录。

  class ApplicationController 
＃默认安全
 before_action：authenticate_user !,除非：：devise_controller？ 
 end 
 
 class SubjectsController< ApplicationController 
＃不需要身份验证的白名单操作
 skip_before_action：authenticate_user !,只有：[：show，：index] 
＃... 
 end 
  





---

  Rails.application.routes.draw做
 devise_for：用户
 
资源：科目做
资源：学生
结束
 
根home＃index
结束
  

使用经认证的 和未认证的路由助手在您对同一路由的身份验证和未认证的用户有不同的响应时非常有用，但不是如何构建应用程序。

如果您在路由中使用经过身份验证的，则未经身份验证的用户将获得404 Not Found响应，而不是提示您登录。 / p>

另外资源：学生，只有：[：get] 不会在al湖只有选项用于限制操作（显示，索引，编辑，更新...）而不是HTTP方法。使用 rake路线查看您的应用程序中的路线。

In my question How to have root view when user is not logged in rails? max answered that we can use authenticated to make routes available only when someone is authenticated. I am having a probem that how can I structure this:

Rails.application.routes.draw do
  devise_for :users


  authenticated :user do
    # when authenticated allow all action on student
    resources :subjects do 
      resources :students
    end
  end

  # when not only allow read on student
  resources :subjects do 
    resources :students, only: [:get]
  end

  root "home#index"
end

The problem is I don't want to allow any unauthenticated action on :subjects how to stop that?

解决方案

If you want to limit access to subjects you should do it on the controller layer - not in the routes. Using before_action :authenticate_user! will give a 401 Unauthorized response and redirect to the sign in.

class ApplicationController
  # secure by default
  before_action :authenticate_user!, unless: :devise_controller?
end

class SubjectsController < ApplicationController
  # whitelist actions that should not require authentication
  skip_before_action :authenticate_user!, only: [:show, :index]
  # ...
end

---

Rails.application.routes.draw do
  devise_for :users

  resources :subjects do 
    resources :students
  end

  root "home#index"
end

Using the authenticated and unauthenticated route helpers are useful when you want the have different responses for the same route for authenticated and unauthenticated users but is not how you should structure your application.

If you simply use authenticated in your routes unauthenticated users will get a 404 Not Found response instead of being prompted to sign in. Which is not helpful.

Also resources :students, only: [:get] does not generate any routes at all. The onlyoption is for limiting the actions (show, index, edit, update ...) not the HTTP method. Use rake routes to see the routes in your app.

这篇关于使用Devise时如何构建验证路由？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！