Pundit: auhorize Index in nested resources

风流意气都作罢 提交于 2019-12-21 20:27:36

问题


Using Rails 4.2.4 with Devise (3.5.2) and Pundit (1.0.1). Decent_exposure (2.3.2).

I have a simple nested associaton for User and Idea:

class User < ActiveRecord::Base
has_many :ideas
...

class Idea < ActiveRecord::Base
belongs_to :user
...

In routes.rb

devise_for :users

resources :users do
  resources :ideas
end

Then I am simply trying to disallow access to users/1/ideas if current_user is not the owner of the Ideas (in this example, if current_user.id != 1). I can not figure out how to do it. I am able to show just the current_user Ideas in the Index view with:

[Ideas controller]

def show
  authorize idea
end

[Idea policy]

def show?
  @current_user == @idea.user
end

But how can I prevent a user to simply navigate to other user's Idea index page? I guess that in Ideas controller I should use something like:

def index
  authorize user
end

But then what? How can I send to the User Policy the info regarding the Idea collection? Or should I authorize via the Idea Policy itself?


回答1:


Duplicating my response on GitHub here because this gets more traffic.


One way is to create a stub Idea owned by the user to authorize against.

def index
  @user = User::find(params[:user_id])
  idea  = Idea.new(user_id: @user.id)

  authorize idea

  # ...
end

and an index? method in your IdeaPolicy

def index?
  record.user_id = user.id
end

Another way is to change what you're authorizing against. Instead of authorizing against Idea, authorize against the User.

def index
  @user = User::find(params[:user_id])

  authorize @user, :show_ideas?

  # ...
end

and create a new show_ideas? method on your UserPolicy

def show_ideas?
  user.id == record.id
end


来源:https://stackoverflow.com/questions/33303718/pundit-auhorize-index-in-nested-resources

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!