pundit

问题 By Default: the paperclip gem stores all attachments within the public directory. I did not want to store the attachments within the public directory for security reasons, so I saved them within an uploads directory at the root of the app: class Post < ActiveRecord::Base belongs_to :user has_attached_file :some_image, path: ":rails_root/uploads/:attachment/:id/:style/:filename" do_not_validate_attachment_file_type :some_image end I did not specify the url option because I do not want a url

问题 I've added the configuration pundit addapter authorization to my application config.authorization_adapter = ActiveAdmin::PunditAdapter When I login with the admin@example.com credentials I'm getting this error. Pundit::NotDefinedError in Admin::Dashboard#index unable to find policy AdminUserPolicy Extracted source (around line #2): insert_tag active_admin_application.view_factory["page"] so I created these files in my policies/active_admin folder adminuser_policy.rb module ActiveAdmin class

问题 I use pundit to handle my API policies, I have an item show that can be forbidden to user in some cases, and in other cases just restricted. By restricted I mean it's forbidden now, but if he pays he could access it then. So I need my API to respond with a specific code ( 402 Payment Required ) so the client can invite the user to pay in order to unlock the show. This is my current code, it only respond with 403 when pundit returns false. Where would it be best to implement a condition to

问题 I have Question model in my application. app/models/question.rb class Question < ActiveRecord::Base ... end I'm using 'pundit' gem for authorization. There are two controllers to do some changes in questions: one for registered user, one for admin. I'm trying to create separate policies for controllers. app/controllers/questions_controller.rb class QuestionsController < ApplicationController ... end app/policies/question_policy.rb class QuestionPolicy < ApplicationPolicy ... end app

问题 Using Rails 4.2.4 with Devise (3.5.2) and Pundit (1.0.1). Decent_exposure (2.3.2). I have a simple nested associaton for User and Idea: class User < ActiveRecord::Base has_many :ideas ... class Idea < ActiveRecord::Base belongs_to :user ... In routes.rb devise_for :users resources :users do resources :ideas end Then I am simply trying to disallow access to users/1/ideas if current_user is not the owner of the Ideas (in this example, if current_user.id != 1). I can not figure out how to do it.

问题 I'm on rails 5 and I'm trying to implement authorizations with pundit for my rails_admin panel. So I included pundit in my application controller and installed the rails_admin_pundit gem as you can see in this snippet of my Gemfile: gem 'devise' gem 'devise-i18n' gem 'rails_admin', '~> 1.0' gem 'rails_admin-i18n' gem 'rails_admin_tag_list', github: 'kryzhovnik/rails_admin_tag_list' gem 'pundit' gem "rails_admin_pundit", :github => "sudosu/rails_admin_pundit" The application policy: class

问题 I am writing with respect to https://github.com/elabs/pundit#scopes I am under the impression that authorization should answer the question Are you allowed access to this resource? , i.e. a true / false answer. This is the case with all actions except index , which, according to Pundit's docs, should return different ActiveRecord::Relation 's depending on who is asking. For example, an admin gets scope.all , while a regular user gets scope.where(:published => true) . app/policies/post_policy

问题 I am really struggling in my efforts over the past 2+ years to try to learn how to use pundit. I am trying to write scoped policies, so that different users can receive objects based on the scope class that they fit into. I have asked several questions on the same topic previously, but I'm not getting any closer to a solution. My recent questions are: here, here, here, here, here and here. There are several others but these give the general picture, that I am struggling with the fundamentals

问题 I am using Rails 5 API, Pundit and all is going well. I am trying to test this specific case where if you're not the resource owner, you should not be able to view that user's info. So I got a few user fixture sample data, Sarah and Jim are two of them. I got this test case here: test "user show - cannot show other user's info" do get user_path(@sarah), headers: user_authenticated_header(@jim) assert_raises(Pundit::NotAuthorizedError) end I ran my test, all the other ones passed, except this

问题 I have an existing Rails app that has Devise / Pundit running on the User model. I have followed: How to get Active Admin to work with Pundit after login https://gist.github.com/tomchentw/8579571 I don't need authorization right now - Devise for authentication will do. Can I just "turn off" Pundit for Active Admin? UPDATE This is super monkey patch: after_action :verify_policy_scoped, only: [:index] if controller_path.split('/').first == "admin" It works but I don't think it's ideal. 回答1: