在 Rails 3.1.1 中设计,通过种子添加管理员用户?
我有一个示例 Rails 3.1.1 应用程序,我已将其设置为管理用户帐户等。
我运行了以下步骤将管理属性添加到用户表中:
$ rails generate migration add_admin_to_user admin:boolean
将以下内容添加到我的迁移中:
class AddAdminToUser < ActiveRecord::Migration
def self.up
add_column :users, :admin, :boolean, :default => false
end
def self.down
remove_column :users, :admin
end
end
然后运行数据库:迁移并将以下内容添加到我的布局文件中:
<% if current_user.admin? %>
You are ADMIN.
<%end %>
然后,为了添加第一个管理员用户,我使用了以下种子文件:
puts 'SETTING UP DEFAULT USER LOGIN'
user = User.create! :name => 'Test User', :email => '[email protected]', :password => 'password', :password_confirmation => 'password'
puts 'New user created: ' << user.name
这有效,所以我随后使用管理字段对其进行了调整:
puts 'SETTING UP DEFAULT USER LOGIN'
user = User.create! :name => 'Test User', :email => '[email protected]', :password => 'password', :password_confirmation => 'password', :admin => 'true'
puts 'New user created: ' << user.name
上面的种子文件有效,但管理标志无效显示。
我错过了什么吗?
更新:模型/用户/rb
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :token_authenticatable, :encryptable, :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
# Setup accessible (or protected) attributes for your model
attr_accessible :name, :email, :password, :password_confirmation, :remember_me
end
I have a sample Rails 3.1.1 application that I have set devise up to manage the user accounts etc.
I ran the following steps to add an admin attribute to the user table:
$ rails generate migration add_admin_to_user admin:boolean
Added the following to my migration:
class AddAdminToUser < ActiveRecord::Migration
def self.up
add_column :users, :admin, :boolean, :default => false
end
def self.down
remove_column :users, :admin
end
end
I then ran the db:migrate and added the following to my layout file:
<% if current_user.admin? %>
You are ADMIN.
<%end %>
Then, to add the first admin user I used the following seed file:
puts 'SETTING UP DEFAULT USER LOGIN'
user = User.create! :name => 'Test User', :email => '[email protected]', :password => 'password', :password_confirmation => 'password'
puts 'New user created: ' << user.name
That worked, so I then adapted it with the admin field:
puts 'SETTING UP DEFAULT USER LOGIN'
user = User.create! :name => 'Test User', :email => '[email protected]', :password => 'password', :password_confirmation => 'password', :admin => 'true'
puts 'New user created: ' << user.name
The above seed file worked, but the admin flag isn't being shown.
Have I missed something?
Update: model/user/rb
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :token_authenticatable, :encryptable, :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
# Setup accessible (or protected) attributes for your model
attr_accessible :name, :email, :password, :password_confirmation, :remember_me
end
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不要将 admin 添加到 attr_accessible。这可能会导致重大安全漏洞。恶意用户可以发送 PUT 请求,如下所示:
这将授予用户 id 17 管理员权限。 attr_accessible 的重点是定义模型可以访问哪些属性。尤其是这个,可能不是您想要的。
相反,我建议您使用 rake 文件创建示例用户。将文件(user_data.rake)放入 lib/tasks 中,并包含以下内容,它应该可以解决问题。
这定义了一个任务 db:populate,并且应该是创建示例用户所需的全部内容。
已经完成 db:migrate 后,只需运行 db:reset、db:populate。
请注意 admin.toggle!。这就是奇迹发生的地方。
应谨慎使用切换方法,因为它会绕过您为模型定义的回调和验证。在我提到的情况下,由于您是从 rake 任务中手动使用它,所以不存在在批量分配中被恶意使用的风险。您可以在此处找到有关切换方法的更多信息: http://apidock.com/rails/ActiveRecord/底座/切换
Don't add admin to attr_accessible. This could lead to a major security breach. A malicious user could send a PUT request as follows:
which would grant user with id 17 admin privileges. The whole point of attr_accessible is to define which attributes are accessible to your model. This one in particular is probably not one you want available.
Instead, I suggest that you create your sample user with a rake file. Place a file (user_data.rake) in lib/tasks with the following and it should do the trick.
This defines a task db:populate and should be all you need for creating your sample user.
Having already done a db:migrate, just run db:reset, db:populate.
Note the admin.toggle!. That is where the magic happens.
The toggle method should be used with caution since it bypasses callbacks and validations you have defined for your model. In the case I've mentioned, since you are using it from a rake task manually there is no risk that it could be used maliciously in mass-assignment. You can find more information on the toggle method here: http://apidock.com/rails/ActiveRecord/Base/toggle
我同意不要将 :admin 添加到 attr_accessible 中,这个建议太疯狂了。
至于 saneshark,当种子的目的是创建任务时,为什么还要创建任务呢?只需将切换开关放入 db/migrate/seeds.rb 文件中即可。
在您的种子文件中将:更改
为:
I agree don't add :admin to attr_accessible, that advice was crazy.
As for saneshark, Why create a task when that is the purpose of seed? Just put the toggle inside your db/migrate/seeds.rb file.
In your seed file change:
to: