拒绝 Rails 应用程序中的访客访问
我想完全锁定 Rails 应用程序,以便拒绝特定用户角色明确授权的所有路由 (403)。
我继承了这个应用程序,所以我对框架的理解很差,但目前看来我有相反的情况:一切都是开放的,除非我明确关闭它。
我有一个authorization_rules.rb 文件,并且我已授予来宾角色no 权限,但我仍然可以在不登录的情况下访问页面。我想我可以逐页进入并确保页面需要授权(filter_access_to?),但我可能会错过一个。我怎样才能关闭所有内容,然后仅在我明确允许的地方开放访问?
这是使用 Rails 2.3.5。
I want to completely lock down a Rails application, such that all routes which are not explicitly authorized for a particular user role are rejected (403).
I inherited this app, so my understanding of the framework is poor, but it currently seems like I have opposite: everything's open unless I explicitly close it.
I have an authorization_rules.rb file, and I've given the guest role no permissions, yet I can still access pages without being logged in. I think I can go in page by page and make sure a page requires authorization (filter_access_to ?), but I might miss one. How can I just shut everything down, then open access only where I explicitly allow it?
This is using Rails 2.3.5.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
假设应用程序使用
before_filter
来限制访问,您可以在应用程序控制器中移动 before 过滤器,并针对各个控制器中的特定操作跳过它:Assuming the app uses
before_filter
to restrict access, you can move the before filter in application controller and skip it for particular actions in individual controllers: