Authentication 用户登录 用户权限相关

引用

# 19Where Administration Goes#20 Restricting Access#21 Super Simple Authentication  以上三篇构一组 Authentication


# 19Where Administration Goes

script/generate scaffold episode "admin/episodes"

#Implementing The Admin Links

    <li>
        <p class="episodeId"><%= episode.episode_id %></p>
        <h3><%= link_to episode.title, episode_path(episode.identifier) %></h3>
        <p class="summary"><%= episode.summary %></p>
        <p class="tagList">Tags: <% episode.tags.each do |tag| %> <%= link_to tag.title, tag_path(tag.title) %> <% end %></p>
        <p class="adminActions">
          <%= link_to "Edit", edit_episode_path(episode) %>
          <%= link_to "Destroy", episode_path(episode), :confirm => "Are you sure?", :method => :delete %>
        </p>
    </li>
    <%= link_to &ldquo;New&rdquo;, new_episode_path %>


#20 Restricting Access

 
#episodes/index.rhtml
    <% if admin? %>
      <%= link_to 'New Episode', new_episode_path %>
    <% end %>

  #controllers/application.rb
    helper_method :admin?
    protected
    def admin?
      false
    end
    def authorize
      unless admin?
        flash[:error] = "unauthorized access"
        redirect_to home_path
        false
      end
    end

    #episodes_controller.rb
    before_filter :authorize, :except => :index

   

#21 Super Simple Authentication


controllers/application.rb
    def admin?
      session[:password] == 'foobar'
    end

sessions_controller.rb
  def create
    session[:password] = params[:password]
    flash[:notice] = "Successfully logged in"
    redirect_to home_path
  end
  def destroy
    reset_session
    flash[:notice] = "Successfully logged out"
    redirect_to login_path
  end

config/routes.rb
  map.resources :sessions, :episodes
  map.home '', :controller => 'episodes', :action => 'index'
  map.login 'login', :controller => 'sessions', :action => 'new'
  map.logout 'logout', :controller => 'sessions', :action => 'destroy'



#119-session-based-model

第一种方法

  def create
      ...
      session[:comment_ids] ||= []
      session[:comment_ids] << @comment.id
      ...    
  end

  
  保护的内容,确保只有当前的用户 session,对 edit 可见
  <% if session[:commnet_ids] && session[:comment_ids].include?(comment.id) %>
  ...
  <% end %> 
  
  用session对 update 进行保护
  before_filter :authorize, :only => [:edit, :update]
  def update
    。。。
  end
  
  private  
  def authorize
    unless session[:comment_ids] && session[:comment_ids].include?(params[:id]。to_i) #如果不是这种情况
      。。。
    end
  end

 
 
第二种方法(创建一个model user_session,对原session进行封装)

1、定义user_session.rb
class UserSession
  def initialize(session)
    @session = session
    @session[:comment_ids] ||= []
  end  
  def add_comment(comment)
    @session[:comment_ids] << comment.id
  end  
  def can_edit_comment?(comment)
    @session[:comment_ids].include?(comment.id) && comment.created_at > 15.minutes.ago
  end
end

2、application.rb
private
def user_session
  @user_session ||= UserSession.new(session)
end
helper_method :user_session

3、comment_controller.rb
def create  
  if @comment.save
    user_session.add_comment(@comment)    
    。。。
  end
end

def authorize
  unless user_session.can_edit_comment?(Comment.find(params[:id]))
   。。。
  end
end

<% if user_session.can_edit_comment? comment %>
  。。。
<% end %>




你可能感兴趣的:(Authentication)