使用Devise时如何构建验证路由? [英] How to structure authenticated routes when using Devise?
问题描述
在我的问题如何当用户没有登录rails时,有根视图?最大答案是,我们可以使用认证的
使路由只在有人通过身份验证后才可用。我有一个问题,我如何构建这个:
Rails.application.routes.draw do
devise_for:用户
身份验证:用户执行
#验证时允许对学生
资源的所有操作:主题
资源:学生
结束
end
#当不仅允许读取学生
资源:科目做
资源:学生,只有:[:get]
end
roothome#index
end
问题是我不想允许在上的任何未经身份验证的操作:主题
如何阻止?
如果要限制对主题的访问,您应该在控制器层(而不是路由)中执行此操作。使用 before_action:authenticate_user!
将给出一个 401未授权的
响应并重定向到登录。
class ApplicationController
#默认安全
before_action:authenticate_user !,除非::devise_controller?
end
class SubjectsController< ApplicationController
#不需要身份验证的白名单操作
skip_before_action:authenticate_user !,只有:[:show,:index]
#...
end
Rails.application.routes.draw做
devise_for:用户
资源:科目做
资源:学生
结束
根home#index
结束
使用经认证的
和未认证的
路由助手在您对同一路由的身份验证和未认证的用户有不同的响应时非常有用,但不是如何构建应用程序。
如果您在路由中使用经过身份验证的
,则未经身份验证的用户将获得404 Not Found响应,而不是提示您登录。 / p>
另外资源:学生,只有:[:get]
不会在al湖只有
选项用于限制操作(显示,索引,编辑,更新...)而不是HTTP方法。使用 rake路线
查看您的应用程序中的路线。
In my question How to have root view when user is not logged in rails? max answered that we can use authenticated
to make routes available only when someone is authenticated. I am having a probem that how can I structure this:
Rails.application.routes.draw do
devise_for :users
authenticated :user do
# when authenticated allow all action on student
resources :subjects do
resources :students
end
end
# when not only allow read on student
resources :subjects do
resources :students, only: [:get]
end
root "home#index"
end
The problem is I don't want to allow any unauthenticated action on :subjects
how to stop that?
If you want to limit access to subjects you should do it on the controller layer - not in the routes. Using before_action :authenticate_user!
will give a 401 Unauthorized
response and redirect to the sign in.
class ApplicationController
# secure by default
before_action :authenticate_user!, unless: :devise_controller?
end
class SubjectsController < ApplicationController
# whitelist actions that should not require authentication
skip_before_action :authenticate_user!, only: [:show, :index]
# ...
end
Rails.application.routes.draw do
devise_for :users
resources :subjects do
resources :students
end
root "home#index"
end
Using the authenticated
and unauthenticated
route helpers are useful when you want the have different responses for the same route for authenticated and unauthenticated users but is not how you should structure your application.
If you simply use authenticated
in your routes unauthenticated users will get a 404 Not Found response instead of being prompted to sign in. Which is not helpful.
Also resources :students, only: [:get]
does not generate any routes at all. The only
option is for limiting the actions (show, index, edit, update ...) not the HTTP method. Use rake routes
to see the routes in your app.
这篇关于使用Devise时如何构建验证路由?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!