引用
# 19Where Administration Goes#20 Restricting Access#21 Super Simple Authentication 以上三篇构一组 Authentication
# 19Where Administration Goes
script/generate scaffold episode "admin/episodes"
#Implementing The Admin Links
<li>
<p class="episodeId"><%= episode.episode_id %></p>
<h3><%= link_to episode.title, episode_path(episode.identifier) %></h3>
<p class="summary"><%= episode.summary %></p>
<p class="tagList">Tags: <% episode.tags.each do |tag| %> <%= link_to tag.title, tag_path(tag.title) %> <% end %></p>
<p class="adminActions">
<%= link_to "Edit", edit_episode_path(episode) %>
<%= link_to "Destroy", episode_path(episode), :confirm => "Are you sure?", :method => :delete %>
</p>
</li>
<%= link_to “New”, new_episode_path %>
#20 Restricting Access
#episodes/index.rhtml
<% if admin? %>
<%= link_to 'New Episode', new_episode_path %>
<% end %>
#controllers/application.rb
helper_method :admin?
protected
def admin?
false
end
def authorize
unless admin?
flash[:error] = "unauthorized access"
redirect_to home_path
false
end
end
#episodes_controller.rb
before_filter :authorize, :except => :index
#21 Super Simple Authentication
controllers/application.rb
def admin?
session[:password] == 'foobar'
end
sessions_controller.rb
def create
session[:password] = params[:password]
flash[:notice] = "Successfully logged in"
redirect_to home_path
end
def destroy
reset_session
flash[:notice] = "Successfully logged out"
redirect_to login_path
end
config/routes.rb
map.resources :sessions, :episodes
map.home '', :controller => 'episodes', :action => 'index'
map.login 'login', :controller => 'sessions', :action => 'new'
map.logout 'logout', :controller => 'sessions', :action => 'destroy'
#119-session-based-model
第一种方法
def create
...
session[:comment_ids] ||= []
session[:comment_ids] << @comment.id
...
end
保护的内容,确保只有当前的用户 session,对 edit 可见
<% if session[:commnet_ids] && session[:comment_ids].include?(comment.id) %>
...
<% end %>
用session对 update 进行保护
before_filter :authorize, :only => [:edit, :update]
def update
。。。
end
private
def authorize
unless session[:comment_ids] && session[:comment_ids].include?(params[:id]。to_i) #如果不是这种情况
。。。
end
end
第二种方法(创建一个model user_session,对原session进行封装)
1、定义user_session.rb
class UserSession
def initialize(session)
@session = session
@session[:comment_ids] ||= []
end
def add_comment(comment)
@session[:comment_ids] << comment.id
end
def can_edit_comment?(comment)
@session[:comment_ids].include?(comment.id) && comment.created_at > 15.minutes.ago
end
end
2、application.rb
private
def user_session
@user_session ||= UserSession.new(session)
end
helper_method :user_session
3、comment_controller.rb
def create
if @comment.save
user_session.add_comment(@comment)
。。。
end
end
def authorize
unless user_session.can_edit_comment?(Comment.find(params[:id]))
。。。
end
end
<% if user_session.can_edit_comment? comment %>
。。。
<% end %>