安全地添加对 Rails 网站的管理访问权限的最佳方法是什么?
我认为答案是管理员登录,然后检查用户是否有管理员标志,但我也想到了其他一些相关问题。
在与非管理员相同的用户表中拥有管理员标志(attr_protected)是否更好? 或者我应该有一个管理员用户表?
我应该为管理员用户创建一个单独的 Rails 应用程序吗? 这可能有点矫枉过正,因为它们都必须访问相同的数据库(更不用说设置起来可能会很痛苦)。
还有其他建议吗? 现在我只需要保护一两个页面,所以我什至研究了 HTTP 基本或摘要身份验证作为临时措施(受保护的内容实际上并不那么私密/重要)。 但是...我不知道如何实现特定操作的 HTTP 身份验证,我只看到如何实现它以防止目录访问。
任何方向和讨论都会很棒。 我相信其他 Stack Overflow 用户将从这次讨论中受益。
谢谢!
I think the answer is an admin login and then check if the user has an admin flag, but I also thought of some other related questions.
Is it better to have an admin flag (attr_protected) in the same user table as non admins? or should i have an admin users table?
Should I create a separate rails application for the admin users? This might be overkill since they will both have to access the same datbase (not to mention it might be a huge pain to set up).
Any other suggestions? Right now I just need to secure a page or two so I even looked into HTTP basic or digest authentication as a temporary measure (the protected content is actually not THAT private/important). But... I don't know how to implement HTTP auth for specific actions, I have only seen how to implement it to prevent directory access.
Any direction and discussion would be great. I am sure other Stack Overflow users will benefit from this discussion.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我认为这取决于管理类型。
如果您的管理员对该站点的视图与普通用户的视图相同,但具有额外的权限,那么我会使用管理员标志。 (或者,随着您的需求扩展,一个成熟的角色表。)在这种情况下,每个人都看到相同的内容,但管理员可以访问普通用户无法访问的各种操作(删除?编辑?禁止?等)。
如果您的管理员需要的视图与普通站点有很大不同,我会推荐一个完全独立的 Rails 应用程序来访问相同的数据库。 例如,如果您的“管理员”实际上是要接听电话或处理帐单问题的帮助台员工,那么他们可能对数据库有完全不同的视图(也许还有编辑数据的方法),而这些视图在常规应用程序。
拥有多个站点的缺点是模型(验证、关联等)可能不同步。 拥有单个站点的缺点是,您最终可能会在站点先前易于理解的部分中插入各种丑陋的“if-admin”代码。 哪个问题更容易处理取决于您的要求。
I think it depends on the type of administration.
If the view your administrators will have of the site is the same as a normal user's, but with additional privileges, I would go with an admin flag. (Or, as your needs expand, a full-fledged roles table.) This is a situation where everybody sees the same stuff, but administrators have access to various actions (delete? edit? ban? etc.) that normal users do not.
If the view your administrators need is wildly different than the normal site, I would recommend a completely separate Rails app that accesses the same database. For example, if your "administrators" are really help desk employees that are going to answer phone calls or deal with billing questions, they may have completely different views of the database (and perhaps ways to edit the data) that aren't available in the regular application.
The disadvantage to having multiple sites is that it is possible to have models (validations, associations, etc.) get out of sync. The disadvantage to having a single site is that you may end up inserting all sorts of ugly "if-admin" code in previously easy-to-understand portions of your site. Which problem is easier to handle depends on your requirements.
Ryan Bates 关于这个主题有一个很棒的由三部分组成的 Railscast 系列,应该会给您一些思考的空间:
另外还有三种采用不同身份验证技术的 Railscast:
Ryan Bates has a great three part series of Railscasts on this topic which should give you some food for thought:
There are also three Railscasts on different authentication techniques:
为此,我使用 restful_authentication 插件。 限制对任何控制器或任何方法的访问非常简单。 在控制器中的示例中添加此功能:
或者
我定义了管理员? 我的用户模型中的方法。 我也创建了更新? 并创造? 检查调用了哪个操作的方法。 在restful_authentication中授权? 访问控制器时始终运行该方法。
我会将所有内容放在一个应用程序和一张表中(不创建用户和管理表)。 您可以通过仅允许为现有管理员用户设置此值来保护用户控制器中的管理员标志。
I'm using restful_authentication plugin for this purpose. And it is very simple to restrict access to any controller or any method. On example in controller add this function:
or
I defined admin? method in my User model. I also created update? and create? methods that check which action was called. In restful_authentication authorized? method is always run when accessing controller.
I would put everything in one application and in one table (don't create users and admin table). You can secure admin flag in your users controller by allowing to set this value only for existing admin users.